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(g) Method and apparatus for creating, supporting, and using travelling programs. 

@ A method and apparatus for creating, sup- 
porting and using a travelling program is dis- traveluno program data structvre 

closed. A "travelling program" is a digital data ^ 

structure which includes a sequence of Instruc- 
tions and associated data and which has the 
capability of detemiining at least one next desti- 
nation or recipient for receiving the travelling 
program and for transmitting itself together 
with all relevant data detenmined by the prog- 
ram to the next recipient or destination. The 
travelling program can compute, according to 
any algorithm whatsoever, the digital material 
which is to be signed, and also, as needed, the 
digital material which is to be verified. The 
present invention also allows the program to 
conditionally decide, based on any known 
criteria, which users should participate in the 
signature process. The present invention also 
uses digital signatures to allow the travelling 
program to provide other types of valuable 
authentication. For example, as a security con- 
venience the present invention allows for the 
digital signature authentication of the entire 
transmission from one user to another. This 
includes the travelling program itself, its vari- 
ables, and any ancillary data or files. The pre- 
sent invention provides a unique mechanism for 
automating data collection among a group of 
users. The travelling program may be sent to 
one user, attach (or detach) relevant data files 
and move on to the next user. Data or files, 
collected from one or more users can be depo- 
sited with another user, or accumulated for 
batched processing as desired. This methodo- 
logy eliminates the need for individual users to 
be counted on to transmit all the required data 
in the required format The present invention 
also efficiently perfonms electronic document 
interchange (EDI) in the context of a travelling 
program which sends Itself from user to the 
next within an organization, coll cting, editing 
and approving data. 
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FIELD OF THE INVENTION 

The present invention r lates to a method and apparatus for creating a "travelling" program which has the 
capability of moving itself together with necessary associated data from one computer user to another to there- 
5 by create a powerful tool for processing, authenticating, and collecting data at various computer nodes. 

BACKGROUND AND SUMMARY OF THE INVENTION 

Within an organization, documents are often moved manually. Amail or delivery service is often employed 

10 when documents are required to be transmitted between organizations. 

Technlquesfor electronically transmitting documents within an organization and between organizations are 
well known. The rapid growth of electronic mail systems, electronic transfer systems and the like have served 
to automate certain business transactions and eliminate some of the manual document transfers that are in 
most instances unnecessary. 

15 One prior art methodology for automatically transferring information between users (for example, within 

an organization) utilizes a so-called "electronic fornrw" methodology. This "electronic form" methodology pres- 
ents data to a user, solicits the user's input via a conventional display, verifies that the input data has been 
correctly entered, and thereafter transmits such data to another user. 

The electronic form methodology is very limited in many respects. For example, if the data represents any 

20 value, then there is always the potential danger that data could be manipulated or altered, or simply created 
bogusly. Attempts to address this danger have involved flagging certain critical fields which are to be digitally 
signed. This allows a certain limited amount of authentication for specific input fields, exactly as they were 
entered. 

However, it does not permit complex data structures to be assembled and then digitally signed. The present 
2$ invention allows for the travelling program to compute, according to any algorithm whatsoever, the digital ma- 
terial which is to be signed, and also, as needed, the digital material which is to be verified. 

Thus, for example, the present invention allows the actual data which Is signed to be different than any 
field data itself. In fact, it is possible that the signed material contains none of the actual data as presented by 
the user. 

30 An example, of one way this is especially useful is when the travelling program of the present invention 
creates an EDI (electronic data interchange) transaction based on aspects of the entered data. The program 
has the ability to sign the EDI transaction. Such EDI transactions may well be composed of complex digital 
information which was looked-up. based on internal tables within the program, from other tabular files, or from 
the supervisor or interpreter which drives the travelling program. Thus, input fields which may have been simply 

35 entered as "X"s which selected form some table, the actual digital material which is signed is entirely different. 
It is anticipated that the type of digital signature described above may be applied to data construction which 
will have a long life - and perhaps be verified by different entities over a period of time. In the case of EDI, 
for example, the signatures can be bound to the EDI transaction itself, and may be verified by any future re- 
cipients of that transaction, even outside the context of the travelling program. This type of digital signature is 

40 analogous to a hand-written signature which appears at the bottom of a paper purchase order or contract. 

In addition to being able to sign arbitrary data, the present invention also allows the program to conditionally 
decide, based on any known criteria, which users should participate in the signature process. 

For example, with the present invention, the travelling program can make logical determinations, within 
the program, as to what co-signature requirements may exist for particular data, user, or some combinatton. 

45 This can include infornnation contained in a user's X.500 certificate, or enhanced digital certificate (e.g., as 
according to the inventor's U.S. Patent No. 4,868,877 or 5,005.200). Because complete programmatic flexibility 
exists, such extracted Information can even be used to regulate the future transmission route for the travelling 
program. 

In addition to using digital signatures for simple authentication, the present invention also allows authority 
50 requirements and uses to be included and verified as well. This draws upon, for example, the teachings of 
4.868,877 and 5,005,200 to control authority proof and delegation. 

On the other hand, the present invention also allows uses digital signatures to allow the travelling program 
to provid other types of valuable authentication. For example, as a security convenienc the present invention 
allows for the digital signature authentication of the entire transmission from one user to another. This includes 
55 the travelling program itself, its variables, and any ancillary data or files. 

This s cond type of digital authentication diff rs from the data-oriented auth ntication described above, 
in part, in that It carries long-term significance - since the variables and other data which are transmitted will 
be changed once the receiving user has taken any action at alt. This second type of authentication is therefore 
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primarily seen as a protection against tampering, and can also be used forensically as a backward audit to de- 
tect unauthorized tampering even by one of the actual users of the form. 

In addition, the present Inv ntion also provides a third type of authentication, whereby th travelling pro- 
5 gram itself may be signed, authenticated and authorized by some trusted issuing authority (e.g., perhaps the 
author), to insure that no bugs or 'Viruses'* have been introduced. (This even protects against infection by a 
user which has valid possession of the program along the route). 

The present invention provides a unique mechanism for automating data collection among a group of users. 
The travelling program may be sent to one user, attach (or detach) relevant data files and nnove on to the next 
10 user. Data or files, collected from one or more users can be deposited with another user, or accumulated for 
batched processing as desired. This methodology eliminates the need for individual users to be counted on 
to transmit all the required data in the required format 

The present invention also efficiently performs electronic document interchange (EDI) in the context of a 
travelling program which sends itself from user to to the next within an organization, collecting, editing and ap- 
is proving data. At the appropriate point, as determined by the program's logic, it is then able to programmaticalty 
generate a standard EDI transaction (e.g., such as the X12 850 Purchase Order transaction set) for transmis- 
sion to another organization. The travelling program is able to digitally sign the finished transaction set Ac- 
cordingly, any receiving organization which can process the standardized EDI, and the standardized signature 
will be able to authenticate and process the incoming material, even if the receiving organization does not have 
20 all the powerful techniques available which are taught by the present invention. 

Conversely, the present invention allows a travelling program to receive ordinary EDI transaction, possibly 
signed, and allows them to be parsed and incorporated into its variables. The travelling program then has the 
capability of validating the input and incorporating them into displays, and to move them among various reci- 
pients as necessary. 

25 According to a first aspect of this invention, there is provided in a communications system having a plurality 
of computers coupled to a channel over which computers may exchange messages, a method for processing 
information among said computers comprising the steps of: providing a first computer with a sequence of pro- 
gram instructions which are executed by the first computer, Including instructions which determine at least one 
next destination that should receive the set of instructions, said set of instructions including instructions for 

30 transmitting said instructions together with accompanying data to said next destination; computing a digital val- 
ue, the content of which is based on logical decisions and manipulations performed by said program; and per- 
forming a digital signature on said digital value at at least one destination. 

According to a second aspect of the invention, there is provided in a communications system having a plur- 
ality of computers coupled to a channel over which computers may exchange messages, a method for proc- 

35 essing information among said computers comprising the steps of: providing a first computer with a sequence 
of instructions which are executed by the first computer, including instructions which determine at least one 
next destination that should receive the set of instructions, said set of instructions including instructions for 
transmitting said instructions together with accompanying data to said next destination; acquiring data from 
users of at least one of said computers via execution of said Instructions; translating said data via the executing 

40 of said instructions into a specialized data structure conforming at least in part to a recognized standard where- 
by said data structure is useful independentiy of said instructions; and digitally signing said data structure via 
the execution of said insfaructions. 

According to a third aspect of this invention, there is provided in a communications system having a plur- 
ality of computers coupled to a channel over which computers may exchange messages, a method for proc- 

45 essing information among said computers comprising the steps of: providing a computer with a firet travelling 
program comprising a sequence of instructions which determine at least one next destination that should re- 
ceive the set of instructions, said set of instructions including instructions for transmitting said instructions to- 
gether with accompanying data to said next destination; providing at least one of said computers with a second 
travelling program; executing the second travelling program under direction of the first travelling program. 

so According to a fourth aspect of this invention, there is provided in a communications system having a plur- 

ality of computers coupled to a channel over which computers may exchange messages, a method for proc- 
essing information among said computers comprising the steps of: providing a computer with a first travelling 
program instance comprising a sequence of instructions which are executed by the computer, including instruc- 
tions which determin at least one next destination that should receive the set of instructions, said set of in- 

55 structions including instructions for transmitting said instructions together with accompanying data to said next 
destination; providing at least one of said computers with a second travelling program instance; processing 
the s cond travelling program under direction of instructions in the first travelling program instance. 

According to a fifth aspect of this invention, there is provided in a communications system having a plurality 
of computers coupled to a channel over which computers may exchange messages, a method for processing 
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information among said computers comprising the steps of: providing a first computer with a sequence of in- 
structions which are executed by the first computer, including instructions which determine at least one next 
destination that should receive the set of instructions, said set of instructions including instructions for trans- 

5 mitting said instructions together with accompanying data to said next destination; and selecting a file In re- 
sponse to execution of said sequence of instructions; transmitting at least part of the content of said selected 
data file to said next destination in response to execution of said sequence of instructions. 

According to sixth aspect of this invention, there is provided in a communications system having a plurality 
of computers coupled to a channel over which computers may exchange messages, a method for forwarding 

10 Information in said communications system comprising the steps of: providing a first computer with a set of 
Instructions which are executed by the first computer including instructions which generate a plurality of In- 
stances of said set of instructions and which initiate transmission to at least a first and a second destination 
which respectively receive one of said Instances together with accompanying data; and including within said 
Instances transmitted to said first and second destinations the capability of subsequentiy merging data that 

15 has been accumulated during their distinct transmission paths. 

According to a seventh aspect of this invention, there is provided In a communications system having a 
plurality of computers coupled to a channel over which computers may exchange messages, a method for proc- 
essing information among said computers comprising the steps of: providing a first computer with a sequence 
of program instructions which are executed by the first computer, including instructions which determine at 

20 least one next destination that should receive the set of Insti'uctions, said set of instructions including instruc- 
tions for transmitting said instructions together with accompanying data to said next destination; and qualifying 
the set of operations which said sequence of instructions Is allowed to perform. 

According to an eighth aspect of this invention, there is provided in a communications system having a 
plurality of computers coupled toa channel over which computers may exchange messages, a method for proo- 
fs essing Information among said computers comprising the steps of: providing a first computer with a sequence 
of program instiructions which are executed by the first computer, including instructions which determine at 
least one next destination that should receive the set of instructions, said set of instructions including instruc- 
tions for transmitting said instructions together with accompanying data to said next destination; and perfornrv 
Ing a digital signature by using a private key stored in a user token device. 

30 According to a ninth aspect of this Invention, there is provided in a communications system having a plur- 
ality of computers coupled to a channel over which computers may exchange messages, a method for proc- 
essing Information among said computers comprising the steps of: providing a first computer with a sequence 
of program Instructions which are executed by the first computer, including instructions which determine at 
least one next destination that should receive the set of Instructions, said set of instructions including instruc- 

35 tions for transmitting said instructions together with accompanying data to said next destination; and perform- 
ing a date/time notarization. 

According to a tenth aspect of this invention, there is provided in a communications system having a plur- 
ality of computers coupled to a channel over which computers may exchange messages, a method of proc- 
essing Information among said computers comprising the steps of: providing a first computer with a sequence 

40 of program Instructions which are executed by the first computer, including instructions which determine at 
least one next destination that should receive the set of instructions, said set of instructions including instruc- 
tions for transmitting said Instructions together with accompanying data to said next destination; and perfornrv 
Ing a time delay function. 

45 BRIEF DESCRIPTION OF THE DRAWINGS 

These as well as other features of this invention will be better appreciated by reading the following de- 
scription of the preferred exemplary embodiment of the present invention taken In conjunction with the ac- 
companying drawings of which: 
50 FIGURE 1 is a block diagram of a communication system in accordance with an exemplary embodiment 

of the present invention; 

FIGURE 2 shows an exemplary structure of a travelling program together with its associated components; 
FIGURE 3 shows an exemplary execution control area data structure; 

FIGURE 4 shows the data structure of a file control block (FCB) which is used when a b'avelling program 
55 attaches files to, or detach s files from itself; 

FIGURE 5 shows a process control block that is utilized in the execution of a travelling program; 
FIGURE 6 illustrat s a variabl control block data structure (VCB) which is used for controlling variables; 
FIGURE 7 shows an exemplary travelling program loader; 
FIGURE 8 shows how the header is loaded; 
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FIGURE 9 shows how the "program" segment of the travelling program is loaded; 

FIGURE 10 shows how the "variables" segment of the travelling program is loaded; 

FIGURE 11 shows how the "certificate" segment of th travelling program Is loaded; 
5 FIGURE 12 shows how th "file" segment of the travelling program is loaded; 

FIGURE 13 delineates how the "closure" segment of the travelling program is loaded; 

FIGURE 14 represents the operations performed in processing P-code instructions; 

FIGURE 15 shows processing which takes place after the P-code operation is performed; 

FIGURES 16Aand 16B show processing for handling program defined functions or calls; 
10 FIGURE 17 shows the sequence of operations for handling built-in functions; 

FIGURES 18 and 19 delineate the sequence of operations performed for executing external functions or 

calls; 

FIGURES 20 and 21 delineate the operations which are performed when a travelling program mails itself 
to a predetermined recipient; 
15 FIGURE 22 delineates the sequence of operations for attaching a file to the travelling program; 
FIGURE 23 shows how a file may be erased from a user's system; 

FIGURE 24 shows the sequence of operations performed in detaching a file from a travelling program; 
FIGURE 25 delineates the sequence of operations performed when a file has been transformed into a 
user file; 

20 FIGURE 26 delineates the sequence of operation performed when material is to be digitally signed; 

FIGURE 27 delineate the sequence of operation performed by a "INTER-ROLLOUT function; 

FIGURE 28 shows the sequence of operations performed when displaying information to the user; 

FIGURE 29 delineates the sequence of operation performed by the "time delay" routine; 

FIGURE 30 shows the sequence of operations for a "select from directory" function; 
25 FIGURE 31 is a routine which demonstrates how the the interpreter program permits a user to perform 

digital signatures; 

FIGURE 32 exemplifies how a user verifies received information; 
FIGURE 33 illustrates how a travelling program collects a file to be transferred; 
FIGURE 34 illustrates the travelling program operations performed in reading data from a specified file; 
30 FIGURE 35 illustrates how the travelling program may update or create a file from program variables; 

FIGURE 36 illustrates how a travelling program may be designed to be split and send programs to a number 
of different recipients; 

FIGURE 37 demonstrates how previously split programs may be merged; 

FIGURE 38 shows an alternative approach to merging previously split travelling program information; 
35 FIGURE 39 is a flowchart indicating how the travelling program has been designed to accommodate elec- 

tronic document interchange generation functions; and 

FIGURE 40 relates to the use of travelling program in receiving an electronic data interchange transaction. 
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

40 

Figure 1 shows a block diagram showing an exemplary communication system which may be used in con- 
junction with the present invention. This system includes a communication channel 12 over which communi- 
cation between terminals A, B,..N, may take place. Communication channel 12 may, for example, be an un- 
secured communications channel such as a telephone line. 

45 Terminals, A, B, ...N may. by way of example only, be IBM PC compatible computers, having a processor 

(with main memory) which is coupled to a conventional keyboard/CRT display 4. The processor with main mem- 
ory 2 is also coupled to a non-volatile storage which may be a disk memory. Each terminal. A, B...N also in- 
cludes a conventional IBM PC communications board (not shown) which, when coupled to a conventional mo- 
dem (6. 8, 10. respectively), permits a terminal to transmit and receive messages including travelling programs. 

50 As used herein, a "travelling program" is a digital data structure which includes a sequence of instructions 

and associated data and which has the capability of determining at least one next destination or recipient for 
receiving the travelling program and for transmitting itself together with all relevant data determined by the 
program to the next recipient or destination. 

Each terminal is capable of generating a message and performing whatever digital signature operations 

55 may be required to load and execute the logic, data, and functions inherent within the travelling program (as 
described more fully herein), and transmitting the message to other terminals connected to contmunk^tion 
channel 1 2 (or to a communications network (not shown) which may be conn cted to a communication channel 
12). 

The digital signature and certification methodology described in the inventor's U.S. Patent Nos. 4.868,877 
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and 5,005,200. as well as 5,001.752 may be used herein, which patents are hereby expressly incorporated 
herein by reference. Alternatively, more conventional digital signature methodology may be utilized. 

Before describing the details of the "travelling program" structure and methodology in accordance with 

5 an illustrative embodiment of the present invention, an example of the general operation in an actual business 
transaction context will be briefly described. Initially, presume that the user of the Figure 1 terminal A is a rel- 
atively low level engineer who is a part of a design team in a corporation seeking to obtain component parts 
to complete a circuit design project. 

The engineer using keyboard 4 would access a parts requisition "travelling program" of the type to be de- 

10 scribed in detail below. The requisition "travelling program" will prompt the engineer to describe the component 
parts needed. The travelling program includes an instruction sequence which will automatically transmit itself 
to a next destination, e.g.. to a supervisor who has access to terminal B and who is higher up in the organiza- 
tional structure and possesses the authority to approve the requisition request and digitally sign it The trav- 
elling program may also transmit ancillary information, such as files which may be necessary or useful at future 

15 destinations. The supervisor will be prompted to properly digitally sign the request It is possible that the digital 
signature reflects not only specific variables values, but also the variable names. Alternatively, the signature 
may also reflect some aggregate structure which Is derived from variables computed within the program, 
wherein the values may be based on any of many sources, Including data read from file, user Input, data built 
into the program, various signer's certificates, or data which is extracted from the user environment (such as 

20 the user's ID), etc. 

If the request is approved, the requisition form will take a different path in the organization then if it is not 
approved. The travelling program can have the intelligence to determine, based upon the input from the su- 
pervisor at the operating terminal 8, where to transmit itself within the organization. The travelling program 
wilt also, if desired, load the memory associated with terminal B with the appropriate data relating to the requi- 
25 sition and to attach if desired any files from terminal B that needs to be forwarded elsewhere in the organization. 

Once a signature has been done, the travelling program has the ability at any later time, for any later user, 
for any reason to recompute any material to be verified, and to perform a digital signature verification. 

The results of such verification can be announced to any recipient, or more likely, the travelling program 
can simply perform the verification and announce a problem should there be a failure (which suggests attempt- 
so ed data tampering). 

Because the travelling program monitor may embody the teachings of 4,868,877 and 5,005,200, it is pos- 
sible for authorization to also be checked so that any recipient can be assured that the necessary authoriza- 
tions were performed. 

After a particular data structure has been constructed and signed under control of the travelling program, 
35 it is possible to subsequently reconstruct that data structure and to provide its signature to any other entity. 
Such data can not be subsequently tampered by any entity. 

However, the present invention also embodies capability whereby all the transmitted data is digitally signed 
as it is sent from one user to the next. The travelling program processor in the recipient's computer can auto- 
matically verify this signature as the travelling program is loaded. This assures that no component whatsoever 
40 is altered or tampered along the way. While this overall signature only reflects the state of the data during this 
particular transmission, and has no significance for later users, it does insure a perfect transmission untanrv 
pared by third parties, and it does provide a forensic audit mechanism if it is necessary to trace covert tampering 
by participating users, while those users had possession of the form. This overall signature differs from current 
capabilities whereby electronic mail is signed, in that the signature can be conditionally induced by the trav- 
45 elling program itself, as part of the transmission process. 

Ultimately, after all the approvals have been obtained within the organizational structure, the travelling 
program will create an actual Purchase Order. 

This could be done In many ways. It may well be possible for a travelling program to support several meth- 
ods, choosing the one most appropriate for a given circumstance. We describe four possibilities here: 
50 1 . The travelling program could simply print out the final purchase order on paper -possibly even printing 

the company logo, letterhead, etc. ~ which would be physically mailed. 

2. The travelling program, if coupled with an outgoing computer-to-fax capability, could automatically gen- 
erate a purchase order image, that would appear on the vendor's fax machine. The buyer would not have 
to produce paper. 

55 3. If it is known that the vendor also supports the travelling program methodology of the present invention, 

then it is possible that the travelling program will simply designate the vendor as a next destination. 
4. It is also very possibi that the vendor does not use the pr sent invention, or that th purchas r's trav- 
elling program cannot determine with certainty that the vendor is able to handle the travelling program 
methodology. 
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Therefore, the travelling program manipulates its internal data to construct a standardized EDI (Electronic 
Data Interchange) transaction, v/hich can be widely recognized and process d. The travelling program may 
also cause a digital signatur to be performed on the computer EDI transaction, and the signature and the 
5 transaction can both be transmitted. The travelling program would then transmit the EDI transaction, as well 
as any possible signature, to the recipient (Such transmission is independent of. and should not be confused 
with, the transmission of the travelling program and its ensemble from user to user as part of its directed trav- 
els.) 

Any recipient that can handle standardized EDI transactions is then able to handle the received EDI input. 

10 Any recipient that can handle digital signatures, is further able to authenticate the transaction. Furthermore, 
provided the recipient has sufficient software capabOity to recognize them, the recipient can also automatically 
validate any authorization that may be embodied as part of the signature. It is up to the logic of the travelling 
program the extent to which certificates should be transmitted along with a signed transaction. 

In any of the above cases, the travelling program can spin off the purchase order (P.O.) information to the 

IS vendor, using any of several possible levels of automation. Following this, the travelling program might transmit 
one version of itself, or possibly just a letter, back to the originator, to inform him that the P.O. has been sent. 
Other information can be sent to an archive, or to a queue to await further processing. This information could 
be a simple message, a record added to a file, or perhaps the travelling program schedules a full traversal 
(automatic "mailing" or transmission). 

20 Figure 2 illustrates the structure of a travelling program together with its associated components in accor- 
dance with an exemplary embodiment of the present inventbn. The Figure 2 travelling program includes at 
least the following multi-field segments. A first header segment 20 preferably identifies the size of each of the 
component segments, the name of the associated program (and possibly other segments described below), 
the date, the type of each component (e.g., the program is the source language program, or the program is 

25 P-code that has already been compiled), the identity of the form, version of the interpreter needed to execute 
it. data necessary to resume execution at the appropriate point of program resumption (such as execution 
stacks, PCBs. etc.). dates associated with the latest traversal, and program authorization information (PAI). 
Each segment in the travelling program structure may include its own description so that the "type of each 
component and size"f ield "S" would not be included in the header segment 20. For the purposes of the present 

30 application, program authorization information (PAI) may be regarded as security information which defines 
the range of operations that the associated program is permitted to perform (e.g.. defining access to files, the 
ability to call programs, ability to generate electronic mail, ability to transmit data to other users, ability to , re- 
lease documents, ability to execute machine language programs, ability to access special areas of menrK>ry, 
ability to display information to users, ability to solicit digital signatures, ability to access a digital notary public 

35 device, etc.). Further details regarding the nature and use of the program authorization information may be 
found in applicants application Serial No. , entitled, "Computer 

System Method and Apparatus Using Program Authorization Information (Atty Dkt. 264-29). The header seg- 
ment 20 may also include a version number of the associated travelling program. 

The travelling program code 22 segment follows the header in the exemplary embodiment and preferably 

40 is written in the restructured external execution programming language (e.g., the REXX language) or some- 
thing akin to PASCAL or COBOL. The program itself may. for example, relate to a purchase order related ap- 
plication. 

The travelling program will possess the characteristics described above including the ability to transmit 
itself to further recipients. Thus, program 22 will include instructions for forwarding itself via whatever medium 
45 is available to one or more recipients this is known herein as a "traversal". One source code instruction or sev- 
eral P-code instructions may be required to result in the "traversal" of the travelling program to one or more 
identified recipi6nt(s). The travelling program structure set forth in Figure 2 is designed to be independent of 
any particular computer architecture and is structured in accordance with international standards (e.g., X.209 
format). 

50 The travelling program also includes a ''variables segment" 24. Prior to being executed by a first user, the 
variable segment 24 may be virtually empty. Once the program is sent to a recipient, further variables will be- 
V come defined as they are required by the program to thereby result in an increasing number of variables as 
the program is further executed. By way of xample only, the variable section 24 may identify a variable, such 
as "total.dollars.received" together with an actual data valu for this variable. 

55 Each variable may have associated therewith the information set forth in each of the fields 32-42 shown 
in Figure 2. Field 32 identifies the size of the variable name. The variable name itself is stored in field 34. The 
siz of the value of th variable is set forth in field 36. The value fthe variable is in field 38. Fi Id40id ntifies 
the xecution stack level to which the variable belongs. The execution stack level is identified since the same 
variable name can exist at different levels within a program (e.g., one variable name may exist in a first sub- 
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routine while the same variable name may exist In a separate or nested subroutine and yet have a different 
definition). The execution stack level is helpful in reconstructing the travelling program in a recipient's computer 
to take on the same logical struc^re it had in the sender's computer. Field 42 is an optional field which may 

5 identify a type of variable, e.g.. strings, octets, integers, etc. 

The "variables'* section 24 may also include a digital signature of the respective variables and related in- 
formation. Thus, it is also possible for one or more variables to reflect digital signatures which have been taken 
at various times during the travelling program's execution path. One of the significant aspects of the current 
invention is that the travelling program can create a digital signature on any type of information. This signature 

10 is itself carried as a variable. To verify the signature it is necessary for the program io indicate (or possibly re- 
compute) the exact value which was signed, and then pass that, together with the signature value (also indi- 
cated by a variable) to the VERIFYSIGNATURE function of the travelling program. By including a digital sig- 
nature of variables, a recipient will be enabled to verify that the data 1) has not been tampered with, 2) has 
been validly signed, and 3) the signer was properly authorized. See above identified U.S. Patent No. 5,005,200, 

15 which describes a preferred mechanism for associating authority with a digital signature. 

A segment 26 is shown in Figure 2 for optionally including with the travelling program, certificates asso- 
ciated with any digital signatures so that any signatures may be verified by a recipient as described, for ex- 
ample, in the above-identrf led U.S. Patent No. 5,005,200. Alternatively, the certificates could be included in 
the "variables" section together with the digital signatures. 

20 Segments 2dA-28N contain file images that are recorded and tagged by name to enable the travelling pro- 
gram to attach and store a file belonging to a travelling program user. Thereafter, the user's file may be trans- 
mitted along with other prior user's files with the travelling program. The name of the file facilitates later ac- 
cessing of the file by a user and permits the travelling program user to identify any file which is, for example, 
to be further transmitted, or which is to be deposited with a particular user under particular circumstances. 

25 The travelling program also includes a "closure segment" 30 which includes, for example, the digital sig- 
nature of the entire travelling structure so that the recipient can verify that the transmission of the entire trav- 
elling structure has not been tampered with since it was last sent. 

Having described the travelling program data structure, we now describe the data structures utilized during 
the execution of a travelling program and the associated software for executing the travelling program. An exe- 

30 cution control area (XCA) data structure is shown in Figure 3. The XCA specifies Information required by the 
program which executes the travelling program, once the travelling program has been received by a recipient, 
and compiled into P-code (unless it was originally transmitted in P-code). 

As shown in Figure 3, XCA segment 82 identifies the address and size of the program as it appeared in 
the incoming file. It should be recognized that, throughout this description, whenever a segment is stated as 

35 storing an "address" or "location", that the data may be a physical or logical address and need not necessarily 
directly specify an actual physical memory location. The program may be received in source or P-code and 
an indication is maintained as to which is the case. The execution control area includes a segment 84 which 
is indicative of the address of the p-code version of the program and its size. The address (or pointer to the 
address) of the current program control block is identified in segment 86. The location of the list of file control 

40 blocks (FCB) which is used, for example, to attach and detach files associated with the travelling program is 
set forth in segment 88. The address of the certificate control area (CCA) which is used for controlling certif- 
icates which are attached to the travelling program is set forth in segment 90. The location of the "variable" 
information table (VIT) is set forth in segment 92 which controls and maintains variables in the form of a "B- 
tree", which is a hierarchical binary tree structure which identifies the location of each program "variable". 

45 The execution control area also includes a security information segment 94 which may be used for verifying 

the authenticity and the authority implicit in the travelling program. Segment 96 defines the name of the file 
that contains the incoming travelling program which may need to be accessed. Segment 98 keeps track of the 
number of times the program has mailed itself along the incoming path. The execution control area also in- 
cludes an input parameter section 100, whereby parameters relating to the execution of the program may be 

so identified. Execution control area segment 102 identifies the input header information received from the trav- 
elling program file so that the header information will be available. 

Figure 4 shows the data structure of a file control block (FCB) which is used when a travelling program 
attaches files to, or detaches files from itself. The file control block includes a tag field 116 which identifies a 
tag for referencing a particular file to be attached or detached in a particular user's system. The file control 

55 block also includes a segment 110 which is a pointer to the next file control block. The file control block also 
includes a status segment 112 which defines various status conditions such as whether the associated file 
has just been attached by the received travelling program; whether the file can b detached on the next tra- 
versal (i.e., next mailing); whether the file has been exported (i.e., the associated file image has already been 
loaded into a separate user file); and an indicator as to the "type of file" such as whether the file is stream 
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oriented or record oriented. Other attributes of the file nnay be defined in this field. 

Segment 114 stores an indication as to the file's position within the main Incoming travelling program file 
so that the particular file in question may be quickly accessed. Segment 118 identifies whether the local name 

5 of the file (i.e.. the file name identified by the most recent recipient of th travelling program). The local name 
of the file is typically provided if the file has been attached and is being forwarded to a further recipient or rf 
an already attached file is being '*exported^ i.e., stored locally by a particular user. Additionally, as shown In 
Figure 4. the FOB may contain a hash of the associated file. As will be appreciated by those skilled in art. a 
hash is a "one way" function which should be computationally easy to compute given the underlying data. The 

10 hash function should be computationally impossible given a hash value, to either determine the underlying 
data, or to create any data which has the specified value as its hash. For all practical purposes, the value ob- 
tained from applying a hashing function to the original aggregation of data is an unforgeable unique fingerprint 
of the original data. If the original data is changed In any manner, the hash of such modified data will be dif- 
ferent. 

15 Figure 5 shows an exemplary program control block that may be used during the execution of the travelling 
program. A program control block keeps track of control information regarding the program being executed In 
a structured programming context where one routine calls another routine, each routine having an associated 
program control block. 

The program control block segment 50 points to the prior program control block in the program execution 

20 control stack. The program control block includes a segment 52 which defines the next P-code position to be 
executed in the current executing program and segment 54 defines the type of last P-code operation per- 
formed. Segment 56 includes a pointer to an expression evaluation stack which is used during expression eval- 
uation. The execution stack is typically distinct from the program stack, in that the execution stack is used for 
evaluating expressions and keeping track of Internal state. Segment 58 defines the level of this stacking pro- 

25 gram and segment 60 defines a pointer to a list of shared variables. In the REXX language an "exposed" state- 
ment may be used for accessing shared variables. 

Figure 6 illustrates a variable control block data structure (VCB) which is used for controlling variables. 
Segment 62 Identifies where in the B-tree a variable is located and may contain several pointers. Segment 64 
identifies the size of the variable value and segment 66 Identifies a pointer to where the value is located in 

30 memory. Segment 68 may be optionally used to identify the type of variable. Segment 70 identifies which level 
of the travelling program the variable is associated with, so that after the program is executed, any local va- 
riable which was associated with the program may be readily deleted. Segments 76 and 80 identify the size 
of the variable name and the name, respectively. 

We now turn to illustrating the execution of the travelling program. The sequence of operations performed 

35 by a "loader" portion of an interpreter execution-driving program Is set forth in Figures 7-12. These operations 
relate to preparing to execute a travelling program. 

A travelling program may execute in one of a plurality of different modes such as an interactive user mode, 
a mode In which it is called by another program, or a batch operation mode in which it is sent from node to 
node collecting information. Initialization information Is Input during the start-up operation (120) to identify the 

40 particular operating mode as well as associated run-time parameters. 

The flowcharts set forth in Figures 7-12 illustrate how a travelling program structure shown in Figure 2 is 
loaded. In loading the travelling program, the interpreter creates the execution control area XCA and initial pro- 
gram control block PCB. It saves access to input parameters, saves the names of the input files that it has 
been given to load and Initializes the variable information table (VIT) (122). In flowchart block 122, the exe- 

45 cutlon control area and program control block associated with the travelling program are established. The va- 
rious XCA and PCB fields are filled in during subsequent processing. 

Thereafter, the loader begins loading travelling program segments, i.e., header, program, variables, cer- 
tificates, file and closure segments as shown in Figure 2. Loading each of the travelling program segments 
described above, e.g.. header program, etc., causes appropriate data to be filled In as described below. 

50 In block 124. a decision is made as to whether more segments need to be processed. If so. then the initial 
input is read for that segment and the type of segment is determined after which segment processing is Initiated 
depending upon the type of segment (126). 

Turning to the header processing of Figure 8, initially, a check is made to determine whether the segment 
being processed Is the first segment (150). If not, then an error condition exists (152) since the header must 

55 b the first segment. If the first segment is being processed, then the header is read and hashed. The header 
data is stored into the XCA (154). 

The routine then branches back to Figure 7 at entry point L. The loader determines whether there are any 
more segments to be processed (124). If so, block 126 is executed to result in the processing of the "program" 
segment as shown in Figure 9. Initially, a check is made to determine whether there is a header, and no program 
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has yet been loaded (160). If the answer is no« then an error condition xists (162). If the answer is yes, then 
the progrann is read and a hash is taken (164). 

Thereafter, the program hash and/or digital signatures associated with the program (and/or the header) 

5 are verified 166. If the digital signatures were not properly authorized or could not be verified, then an error 
condition results 166. If verification occurs, then any security and authorization information associated with 
the travelling program is saved (170). Such authorization information could alternatively be kept in the header 
or in the program segment. 

In block 172, a check is made to determine whether the program has been sent as P-code. tf source code 

10 rather than P-code has been sent, then the source code is compiled into P-code using conventional compiler 
techniques known to those skilled in the art and the source code image is deleted from storage 1 74. Regardless 
of the check at block 172. the position in the incoming file of the program ~ whether It is in source or P-code 
format - is saved in the XCA. Knowing the location and extent of the incoming image simplifies the copying 
of the program into eventual outbound traversal(s). Finally, regardless of whether the P-code was just conrv 

15 piled, or whether it was read form the Incoming file, the main storage address and size of the P-code is set 
into the execution control area (XCA) in 178. after which the routine shown in Figure 7 is reentered at block 
124 to thereby result in loading remaining segments such as the "variable" segment processing shown in Figure 
10. 

In processing the "variable" segment as indicated in block 190. a check is made to determine whether the 
20 header and program have been loaded but no prior variables. If this is not the case, then an error condition 
results 1 92. If a header and program have been loaded, but no prior variables, then we begin an Iterate process 
to read all the variables, if any. A check is made at 194 to determine whether there are (more) variables to 
read. If there are more variables to read, then for each variable, a variable control block (VCB) Is created as 
shown in Figure 6 and is completed by the insertion of a variable identifier and value into the variable control 
25 block (VCB) and the setting of certain status conditions in the VCB. Additionally, the variable control block is 
added to the proper spot in the variable Information table (VIT), the table which contains all program variables 
(196). 

Additionally, other variable information, for example, related to previous executions of the travelling pro- 
gram are loaded into memory stacks or program control blocks as appropriate 198. Alternatively, it may be de- 

30 sirable to keep such "control" information in the header segment rather than here. Thereafter, the routine 
branches back to block 194, where checks are made to determine whether more variables are required to be 
read. The processing continues until no more variables need to be read, at which point the routine branches 
back to block 124 of Figure 7 to thereby result in loading the next segment. 

As indicated in Figure 11, each certificate is read (200) and a certificate element is created which is then 

35 added to a certificate control area (CCA) in storage (202). As schematically indicated in Figure 11 . the process 
is repeated until all certificates are received at which point the routine branches back to block 124 to check 
for any more segments. 

Alternatively, it may be desirable to transmit the certificate segment ahead of the program segment, so 
that certificates used as part of program authentication/authorization can be maintained together with any cer- 
40 tif icates used by program variables and user-to-user authentication. 

This branching operation results in the "file" segment processing shown in Figure 12. Since the file seg- 
ments typically follow the "variable" segments, a check is made to determine whether the variable segment 
(even if null) has already been loaded. If not. then an error has been detected and an appropriate error message 
is generated 212. If the "variable" segment has already been loaded, then as indicated in block 214, a check 
45 is made to determine whether the file tag associated with the file has already been loaded. If so. then an error 
is detected Indicating that the file has been duplicated 216. 

If the file tag has not already been loaded, then as indicated in block 218, a file control block is built for 
the file, the tag name is set, other status indicators are set that may have already been associated with the 
travelling program, and the file position is set relative to the incoming file. 
50 Thereafter, the file is read and its hash is computed and saved in segment 115 of the FCB. The size of 

the file is saved in segment 114 of the FCB. The file need not be loaded into memory at this time (220). There- 
after, the file control block which has been created is added to the file control block list collected in the XCA 
and the routine branches back to block 124 to process the next segment (probably "closure"). 

In the "closure" processing in Figure 13. the hash is computed of all previous hashes for each previous 
55 segment (230). It should be recognized that all the "segment" material is read subject to hashing. A check is 
then made in block 232 to determine whether the hash taken and calculated In 230 matches the hash add d 
when the trav iling program was sent (which is stor d in the closure segment). If there Is no match, then an 
error condition results 234. 

If there is a match, a check is made as to whether the travelling program is signed (236). If not, then as 
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suggested at block 238. an action is taken to incorporate whatever level of security is desired, such as possibly 
presenting a notification that the transmission data is not entirely signed (238). 

If the transmission was signed, then the signature is verified and a message is presented to the user to 
5 accurately Identify the party who actually sent the travelling program (and the associated purchase order or 
other form) 240. The routine then branches back to block 124 of Figure 7. 

The completion of the "closure" processing in Figure 13 results in block 124 determining that there are 
not more segments to be processed. Thereafter, a check is made to determine whether closure was success- 
fully received and processed (128). If It was not, then the routine stops execution after performing an unsuc- 
10 cessful validity check (130) and processing halts 132. 

If the check at block 128 reveals that closure was successfully completed, then various steps are taken 
to prepare for program execution (134). In this regard, stacks are restored, the variable information table and 
variable control blocks are restored. The program control blocks are restored such that they contain the exe- 
cution resumption point. 

15 Thereafter, the routine shown In Figure 14 is initiated to actually process the P-code instructions. The fol- 

lowing problem must be considered here. Because the program execution is effectively restored identically to 
the state it was at the time it was transmitted (as part of the traversal) from the sender's machine, there is an 
issue of how the travelling program can distinguish whether it is in the sending machine, and just returned from 
the sending itself; or whether it has just been restored in the recipient machine. 

20 The present Invention allows multiple ways to address this problem. If the traversal function is implemented 

as a built-in function, then the interpreter will return a special value (say "0*^ to the program after it has suc- 
cessfully sent itself, and another value (say "1 ") to the program when its execution is restored on the recipient's 
machine. The travelling program can then test this value to distinguish the situation. Another way this distinc- 
tion could be made is by providing the travelling program a function to extract the "number of prior traversals" 

25 (segment 98 in the XCA). Before invoking the traversal, the program could use this function to save the prior- 
traversal-count function. If it matches the value of the variable, then the program knows the execution is re- 
suming in the sender's computer; if it differs (and it should only be one greater), then the program knows the 
execution Is resuming at the recipient's computer. 

When the first user generates the travelling program, the loader routine shown in Figure 7-13 is executed 

30 with very few, perhaps no, variables, files, or certificates. Accordingly, certain of the above-described steps 
will be omitted during the initial processing. The loader routine is executed whether the travelling program is 
executed for the first time or executed by further recipients. 

Figure 14 illustrates the operations performed in processing P-code instructions; it is repeated for every 
P-code instruction executed. As indicated in block 250, the location of the next P-code instruction is derived 

35 from the current PCB (52), and this becomes the "current" P-code operation. In block 252, the length of this 
P-code operation is determined, and the "next P-code" position (52) is updated to reflect the subsequent P- 
code instruction. The type of the current P-code operation is saved in (54) (It is useful for the interpreter to 
share common routines which have slight variations based on the precise operation. For example, the "call" 
operation and the "function invocatbn" operation are similar except that the function invocation expects a para- 

40 meter to be returned). 

Thereafter, as illustrated in block 254, the indicated P-code operation is performed. Most P-code functions 
involve data manipulation, logical tests and program flow control. By way of example only, such P-code oper- 
ations may include locating a variable and pushing the variable in a stack, resetting the next P-code operation 
to thereby change the flow of control such as would occur in a branching operation, performing an arithmetic 

45 or string operation, performing IF/THEN/ELSE operation based on the popped stack value, perform DO/ITER- 
ATE/UNTIL/WHILE, or other operations based on stack values, performing SELECT/WHEN/OTHERWISE op- 
erations based on the stack values, performing an "END" operation to dose a DO/ WHEN/SELECT operation. 

We will soon discuss in some detail various P-code operations pertinent to the present invention's unique 
operation. With the guidance given herein, the P-code functions can be implemented in a straight-forward man- 

50 ner by anyone familiar with writing interpreters. 

However, ignoring for the moment the details of the particular P-code function, the preferred design allows 
for P-code operations to generate logical "interrupts" at their completion. 

These allow processing P-code processing to be suspended while some other, external operation must 
be performed. This interrupt concept is used in the preferred design to facilitate the rollout of working storage 

55 whenever lengthy watts or external activity is invok d. 

In Figure 15, on return from the P-code routine in block 256. the interpreterdetermines whether the routine 
has signaled a logical interrupt. If not, then return is made to 250 to handle the next P-code operation. 

If an interrupt was indicated, a special check in block 258 is made to determine whether this is the special 
"EXIT" request. If so, then all resources which should be released at the end of this program, such as storage. 
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files, variables, load subroutines, etc., are discarded in block 260. A possible return value from the P-code op- 
eration, which may have been saved by 260, is returned in block 259 to the invoker of this travelling program. 
Assuming, this is not EXIT, then block 261 determines whether ROLLOUT should be performed. For ex- 
5 ample, in certain environments, it is useful for working storage to be rolled out while a user completes entering 
input, or while the travelling program is waiting for a time interval to expire, or whDe a lengthy (or large) external 
program has been invoked from the travelling program logic, or while the digital signature routine Is being exe- 
cuted (since that often involves user input). 

Routines which cause a P-code interrupt and a possible ROLLOUT, regardless of whether they are inr>- 
10 plemented as built-in functions or as language statements (with their own P-code), include: 

SIGN which applies a digital signature to any computer data, and in doing so may sol- 

icit the user to select from multiple certificates, and solicit the user to provide 
his secret password key which allows the private signature key to be decrypted 
and used; 

15 DISPLAY compose and output a screen and wait for the user to supply input; 

TIMEWAIT suspend execution until a future time is reached; 

SELECT.FROM.DIRECTORY which allows selection from . e.g., a directory of users, or a directory of files, 

etc. 

NOTARIZE wait for a time notary device to apply its own digital signature. 

20 In some environments, ROLLOUT is pointless, and in these cases the rollout and rollin processes in block 

262, 264, 268 will be absent or inhibited. 

In any case, a P-code operation which signals an "interrupt" also supplies the address of at least 3 asso- 
ciated ("call-back") functions ~ 

~ the pre-rollout routine, which performs any required functions in preparation for rollout This might In- 
25 dude preparing a parm field in temporary storage to pass to ... 

~ the inter-rollout routine which executes after as much working storage as possible has been rolled out 
to auxiliary storage. 

~ the post-wait routine which handles details following the rollback after the inter-rollout routine is finished, 
and after working storage has been restored from auxiliary. Typically, this involves copying a result value 
30 computed by the inter-rollout routine which is left in temporary storage, and which must be loaded onto 

the execution or copied into a program variable. 
In block 261 , the pre-rollout routine is invoked. This may be a null routine, or it may setup, e.g., parameters 
for the inter-rollout routine. 

In block 262, the rollout function is performed, if appropriate given the environment and circunnstance.s If 
35 done, then ROLLOUT consists of writing all working storage, including the VCBs and their values, the FCBs, 
the certificates and the CCA, the execution stack, the VIT, the XCA, the P-code itself, and any other blocks, 
to some auxiliary storage (such as a file). The interpreter itself may be released from storage, and this may 
be done in a special block (264), provided that sufficient residual program and data remains to later reload the 
interpreter and the working storage. 
40 In step 266, the inter-rollout routine is invoked. Typically, this routine waits for the user to enter input, or 

to wait until a future time or other event, or to invoke another program which might wait for input, or cause other 
deiays, or require a large of storage which is vacated by the ROLLOUT. 

In block 268, after the inter-rollout is finished, the interpreter is reloaded, then the working storage, in- 
cluding the P-code, the execution stack, all control blocks are restored from auxiliary storage. 
45 Then in block 270, any final processing is done to tidy up the operation. For example, this typically includes 

copying a result returned by the inter-rotlout routine to the execution stack, or to a program "variable". 

This completes the interrupt, and control is then returned to the top of the P-code handler (250), where 
the next P-code instruction is processed. 

We now examine some P-code operations of interest 
50 The interpreter in the preferred embodiment handles three of CALLs and function: to routines which are 

"built-in" to the interpreter, to routines which are written as part of the travelling program, and to routines which 
are external to the interpreter or program, and which are dynamically located and invoked when the program 
is executed. 

In Figure 17 we see that the built-in function appears rather simple, and the interpreter simply locates the 
55 specified function based on an index in the P-code, and lookups the routine's address (within the interpreter), 
and calls it. However, it is important to realize that, whil most do not. som built-in functions might signal a 
P-code interrupt In this case, the built-in function must provide the necessary pre-rollout, inter-rollout and 
post-wart routines. 

The P-code interpreter always distinguishes CALL and functions, and provides for the return of a result to 
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the execution stack in and only in the case of a function. Forexanr^ple, the SIGN function returns a value which 
represents the digital signature computed on the supplied data. 

In Figure 16A we see that a call/function to a program routine causes the creation of a new PCB execution 
5 level 300. The new PCB is set to start executing at the start of the subroutine, by setting the next-P-code in- 
struction (52) to the P-code entry point of the routine. The first instruction of the routine will be accessed when 
block 250 is reentered. Parameters are prepared for the program routine, appropriate status condition are set. 
the program level 58 in the PCB is set to one higher than the calling program and the PCB is placed at the 
top of the execution stack as the now current PCB (82). The result of a program routine is passed to the caller 
10 through the P-code RETURN operation. 

In Figure 16B, we see how the corresponding program RETURN P-code operation operates. Block 1200 
determines if a RETURN is made from the highest (only) level PCB. in which case this operates as an EXIT, 
and block 1204 signals that a P-code "EXIT* interrupt is required and passes the return RESULT (if any) as 
the value to eventually be returned by block 261 (Fig. 1 5) as the RESULT for the entire program. 
15 Otherwise, in block 1204, determination is made as to whether the invoker used a CALL or function (e.g., 

by checking field 54 in the caller's PCB), and in the latter case block 1206 puts the return VALUE on the stack 
(or creates a default value if the RETURN had no operand). 

In block 1208, the current level is cleaned-up. and all resources, including storage, files, variables, etc pri- 
vate to this subroutine (aka "program level") are released. Resources, such as variables which are shared with 
20 the caller are NOT released arid are available. 

In block 1210, the current PCB is then released so that the caller's PCB now becomes the current one, 
and return is made to block 256 where execution resumes. 

The interpreter includes built in routines which are designed to accomplish specialized travelling program 
related functions relating to providing digital signatures, user files to the travelling program and other functions 
25 to eliminate the need for a travelling program designer to be concerned with programming such functions. 

P-code operations may also involve the performance of a RETURN function which will affect program con- 
trol, a PROC operation which relates to a program control block, The interpreter also performs a DISPLAY op- 
eration which utilizes the interactive display methodology/language described herein. The interpreter also per- 
forms a TRAVERSE operation which results in the "mailing" of the travelling program to another recipient as 
30 well as all associated data. 

Figure 18 illustrates an exemplary the sequence of operations performed for executing external functions 
or calls. Such external functions or calls are not built in to the interpreter or part of the travelling program but 
rather are part of the user's program library. The named function or call is located from any of several possible 
libraries 354. 

35 A check is then made to determine if the program is found 356. If the program is not found, then a check 
may, if desired, be made to determine whether the program should be terminated or some default action be 
performed 358. If a decision is made to terminate, then an error message is generated, and after various 
housekeeping/cleanup operations are performed as described above the program is exited (360, 362). 
If the check at block 358 indicates that a default action should be taken, then the default action is taken. 

40 e.g., by returning a special default function value (368) and the routine branches back to node 0 in Figure 14 
to begin executing further P-code instructions. 

If the program is found as a result of the check made in block 356, then parameters are consfructed by 
the program (364). Invoking external routines involves a P-code interrupt, with a possible rollout. This allows 
us to conserve storage in multi-user swapping environments if the external program is lengthy, or in any en- 

45 vironment if the external routine is huge and therefore the storage used by the travelling program should be 
vacated in order to satisfactorily perform the external program. In this case, the P-code interrupt is signaled 
in block 366. The indicated PRE-ROLLOUT routine copies the parameters to the external form the stack (or 
variables) to temporary storage. The INTER-ROLLOUT routine invokes the EXTERNAL routine and receives 
any returned result; and the POST- WAIT routine copies the returned result to the stack (if the external routine 

50 was invoked as a function). 

It is possible that the external routine is actually another travelling program. If so, then special optimization 
may be performed by using the existing already-loaded image of the P-code interpreter, and simply passing 
a new set of parameters to block 120 (Fig. 7). In this, special logic would need to be inserted in blocks 262 
and 264 to conditionally avoid releasing the interpreter code itself. 

55 Now let us turn out attention to various special built-in functions which are used by the present embodiment. 
Many of these could be executed either as built-in functions, ores language stat ments with their own special 
P-code op ration. 

Figures 20 and 21 illustrate the operations which are performed when a travelling program transmits itself 
to a predetermined recipient. In block 398, any program authorizing information is first checked to insure that 
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the traversal operation is permitted. (It is conceivable that some travelling progranr^ may not be permitted to 
travel - but simply to do some function which terminates at the first use). In the rare case that th program 
is not allowed to travel, a special return cod is pres nt d to the caller. 

5 The present embodiment implements the TRAVERSE" operation as a built-in function. Furthernnore. the 

function is defined to return "0" to the immediate caller of the function and "1" to the caller after the function 
is restarted on the recipient's computer. As explained earlier, this difference in return code allows the program 
to differentiate between the sender's and recipient's computer. 

To do this, in block 399, the TRAVERSE function first pre-loads the value T on the execution stack, know- 

10 ing that the stack is transmitted intact This is the value that will therefore be returned when the travelling pro- 
gram is reconstituted and restarted on the recipient's computer. Then all relevant variable data such as the 
'Variable'* information table, process control blocks, the various stacks, variable control blocks are collected 
into a transmission format such as a format shown in Figure 2. 

As indicated at block 402, the travelling program header is constructed and transmitted. The travelling pro- 

15 gram is transmitted segment by segment, although it could, in fact, be transmitted in a field by field format, or 
any other way if desired. Preferably, a hash is taken of each segment as it is transmitted. 

Thereafter, in 404, the program and any authorizing information from the input file received with the trav- 
elling program is then copied to the output transmission file. The "variables" segment is then transmitted in- 
cluding the name, current value, and relevant status of each variable (406). Any certificates which were col- 

20 lected as part of performing digital (authorizing) signatures during this or previous traversals are then trans- 
mitted. Thus, any time a digital signature operation is performed, all the associated certificates are collected 
and transmitted in the certificate section of the travelling program 408. The signatures are maintained as va- 
riables within the program (i.e., within variable control blocks). Certificates in the presently preferred embodi- 
ment are treated as material which can be accessed via built in function calls. 

25 Alternatively, it would be possible to include in the certificate package even those certificates which relate 
to the signatures of the overall b'ansmission and signature(s) which authenticate and authorize the program 
itself. However, this would require that all the certificates definitely be known at the time the Certificate seg- 
ment was written, and the logic, and possibly the position of the segments would need to be re-ordered to insure 
optimized processing. 

30 In our implementation, we prefer to keep the certificates associated with the program's authorizing sig- 
nature with the program authorization information in the header or program segment, and the certificates for 
the user-to-user transmission signature authentication with the signature in the closure segment. 

After the certificates are transmitted, all file control blocks are examined resulting in the examination of 
all files which may have been transmitted during prior traversals and any newly attached files 410. Acheck is 

35 then made in block 412 to determine whether there are any more file control blocks to examine. A check is 
then made at block 414 to determine whether any file being examined was scheduled to be detached 414. If 
so, the routine branches back to 412 and neither the file, nor the file tag is copied for transmission. If the file 
is not scheduled to be detached, then the file tag name is copied into the transmission 416. 

A check is then made to determine whether the file in question is part of an incoming travelling program 

40 which Is being carried forward (418). If it is determined that it was part of the incoming traversal, then all file 
attributes from the incoming traversal as well as the file itself is copied to the outbound transmission file (422). 
This input file name may be accessed via the execution control area XCA and the input position of the file is 
associated with the file control block 422. 

If the file is not part of an incoming traversal but rather was attached during the travelling program exe- 

45 cution. then the file, the file type, and its attributes are copied into the transmission file 420. Thereafter, the 
routine branches back to block 412 to determine whether there are any more file control blocks to examine 
until all file control blocks have been examined. 

As Indicated in Figure 21, when all FCB's have been examined, a check is made to determine whether an 
overall user-to-user digital signature has been requested is required by the system program 430. Such an over- 

50 all signature would be useful in detecting tampering with transmitted Information. 

If an overall digital signature is to be taken, then a digital signature operation on the hash of all material 
transmitted is performed (432). The digital signature operation may be performed in accordance with the teach- 
ings of U.S. Patent 5,005,200 (or more conventional digital signature techniques which do not have the asso- 
ciated authority verification attributes, as desired). As indicated at block 432, a hash was previously taken for 

55 each part of the transmission. It is noted that alternatively, a hash may be taken of each of the hashes. The 
digital signature step may involve user interaction to perform the signature. 

Ther after, validation is supplied at the end of transmission as the "dosur " segment. Th validation is 
supplied by transmitting a hash reflecting prior material. The signed hash should d monstrate user-to-user au- 
thentication 434. Any certificate necessary to validate the final signature, which are not already in the certif- 
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icate segment, should be included in the CLOSURE segment. Thereafter, the transmission is dosed 436. 

Finally, in block 437, the value "1" which was previously loaded onto the execution stack for the benefit 
of the transmitted program when it arrives at the recipient, is removed and replaced with the value "0" - which 
5 is returned to the current caller to allow it to distinguish itself. 

Because creating a digital signature typically invoh/es user interaction - such as possibly selecting a cer- 
tificate and opening the private key, or asking the user to operate his digital signature token device - the ma- 
terial described in Figure 20 and 21 will actually operate in the preferred embodiment as P-code interrupt rou- 
tines. As an example, the TRAVERSE function code would trigger a P-code interrupt, In which the logic from 
10 blocks 399 to 430 would operate as a PRE-ROLLOUT routine, while the block at 432 might operate as a INTER- 
ROLLOUT routine since it may require the aforementioned user interaction. The blocks thereafter (434. etc) 
would operate as a POST-WAIT routine. 

The travelling program can be designed as desired to transmit itself numerous time during its execution to 
various recipients. In such multiple transmissions, the variables can be changed prior to each transmission as 
15 appropriate. In this fashion, the program in the position to do processing distinct for each recipient in a manner 
which Is implementation dependent 

Figure 22 illustrates a sequence of operations for attaching a file to the travelling program. The attach file 
routine responds to an identified file tag and an identified file name. As indicated at block 440, a check is made 
to determine whether a file control block with the same tag exists. If so, then the previous file with the same 
20 tag is deleted 442. 

Thereafter, a check is made to determine whether the specified file name reflects an existing file which 
is accessible by the user. In this regard, the travelling program may be associated with program authorization 
information which defines the range of operations which the program is able to perform, including the ability 
to access files. Such program authorization Information will be checked to determine whether the file name 
25 is accessible. If the file name is not accessible by the user, then an error code/message is returned to the 
user 446. 

If the file name is accessible to the user, then a file control block (FCB) Is built with the specified tag and 
file name and the file will be attached during the next and subsequent transmission of the travelling program 
448. The routine is thereafter resumed with an indication that the file has been attached successfully. 

30 Figure 23 illustrates how a file is erased from the user system. When an "erase" function is attempted to 

be executed, security codes are checked to determine whether the program is authorized to perform such an 
operation (450). If the security codes indicate that the program is authorized to erase the specified file (452), 
then an erase operation is performed and the routine branches back with an indication whether the file was 
successfully erased 454. Alternatively, if the program is not authorized to perform an erase operation, then 

35 the calling routine is returned with an error message indicating that the file could not be erased (456). 

Figure 24 illustrates the sequence of operations performed in detaching a file from a travelling program. 
As indicated in block 458. a check is made to determine whether a file control block exists for the identified 
tag associated with the file to be detached. If no FCB exists, then the main routine is returned to with an error 
message indicating that the file could not be detached 462. If the file control block does exist as determined 

40 at 458, then the file control block is deleted at 460 and the main routine is returned to with an indication that 
the file has been successfully detached. 

Figure 25 delineates the sequence of operations performed when a file is to be "exported", i.e., trans- 
formed into a user file. A travelling program may take a specified file, for example, representing a spreadsheet 
and convert such a file to a recipient user's file that remains with the user even after the travelling program 

45 has been sent to a further destination. The file to be "exported" will be identified by a tag and an output file 
name and, if desired, a rewrite indicator identifying whether the file may be rewritten. 

A check is initially made as to whether a file control block exists for the specified tag 498. If no FCB exists, 
then an appropriate error indicating code is generated and the calling routine is returned to (504). If a FCB 
does exist with the specified tag, a check is made to determine whether the file is part of an incoming travelling 

50 program 500. If the file to be exported was not part of an incoming traversal, then it must have been attached 
by the user and already be present in the user's file and. accordingly an error message is generated indicating 
that one is not allowed to export a newly attached file 502. If the file was part of the incoming traversal, then 
a check is made to determine whether the specified file already exists (480). If so. then a check is made at 
block 482 to determine whether it is okay to rewrite the specified file. The check includes determining whether 

55 the program is allowed to modify the specified existing file (if no "overwriting"), or to erase and create the spe- 
erf led f il (if "overwriting" is permitted). If not, then the block 484 is used to return an access error to the pro- 
gram. If th check at 482 indicat s that it is okay to rewrite, a determination is mad as to whether th file 
should be overwritten or whether new material should be added to the end of the file (486). If overwriting is 
indicated at 486, then th existing file is erased (488). A newf ile is created, if permitted by program authorizing 
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security information and preparations are nr^ade to start writing at the beginning of the ffle (490). 

If overwriting is not indicated at 486, but new material data is to be added at the end, then preparations 
to start adding at the end of the existing file are made, as indicated at block 492. Thereafter, the data Is copied 
5 from the correct position at the incoming traversal file to the output file (494) and the main routine is re-entered 
with an indication that the exporting operation has been successfully performed (496). 

Figure 26 illustrates an exemplary sequence of operation performed when material is to be digitally signed. 
In implementing the digital signature function, initially a check is made to determine whether a digital signing 
operation is permitted by the program as indicated at block 510. Whether a program is permitted to perform 
10 a digital signature operation will be controlled by program authorization information which is associated with 
t he program and which is monitored every time the program is executed to ensure that unauthorized operations 
are not performed. If the digital signature operation is not permitted, then an error message will be generated 
rejecting the digital signature function call 511. 

If the digital signature operation is permitted, then in block 514, the SIGN function prepares for user in- 
15 teraction by moving an image of the data to be signed, together with any parameters (such as any required 
authorization for the data content) to temporary storage in preparation for receipt by the INTER-ROLLOUT 
routine (shown in Figure 27) which will perform the user interactions associated with performing the actual 
signature. 

In block 512, the P-code routine is signalled, with Interrupt routines which are described below. 

20 If the digital signature authorization is authorized, then a display panel must be presented to the user to 

solicit which certificate is to be used for the signature operation. The signature operation is preferably per- 
formed in accordance with the inventor's U.S. patent No. 5,005,200 which patent has been expressly incor- 
porated herein by reference. The user may possess a wide range of certificates for performing digital signature 
operations including those constructed along the lines of U.S. Patent No. 5,005,200. The INTER-ROLLOUT 

25 routine is given control at block 509 after much of the storage is rolled out (the signature routine itself must 
remain in storage, of course). 

If there are no certificates suitable for performing the signature, then control passes to block 515 which 
generates an error indicator to be returned to the sign operation. If there Is only one certificate suitable for 
performing the signature, then it is automatically passed to (513). If there are more than one suitable certif i- 

30 cates, then the user is asked to select (51 6). If the user declines (517), then this an appropriate error indicator 
is generated, and passed to the program (515). Otherwise, the chosen suitable certificate is passed to (513). 

The associated private key is then located (513). If block 518 determines that it is located on the user's 
token, then step (524) is used to solicit communication to the token so that It can perform the digital signature. 
Otherwise, the user's private key is located in the system encrypted under a secret password phrase. The 

35 user is solicited (520) for this password, which is used to decrypt the private key. Any errors or bad passwords 
are detected, an appropriate error message is generated. To inhibit guessing by someone other than the true 
user, only a limited number of tries to give the correct password are allowed. 

In block 522, the password is used to decrypt the private key, which in turn is used to sign the message, 
according to the necessary authority. After the operation, all traces of the secret material is erased, and the 

40 signature and certificate are returned to (268, Fig. 15) in temporary storage. In (270) control is then given to 
the POST-WAIT routine (530) which moves the signature from temporary storage to the execution stack. 

In block 532, the operation is checked, and if it was successful, the proof hierarchy for the signer's certif- 
icate is obtained. Certificates are added to the overall certificate collection (maintained in the XCA(90, et al)) 
if they do not already appear. 

45 Figure 28 illustrates the sequence of operations performed when displaying information to the user. The 
travelling program has associated therewith a display layout capability which is described in conjunction with 
Figure 28. The layout capabilities of the travelling program adapt functions heretofore associated with type- 
setting applications for use in a user interactive display mode together with additional enhanced capabilities. 
The screen may be laid out such that input fields can be readily moved and associated with various attri- 

50 butes for very flexibly interacting with the user Various display related operations and functions are summa- 
rized in block 540. The display presents an output based on a specified layout definition process controlled by 
the display processing portion of the interpreter. 

The display processing involves analyzing conditional attributes and static atbibutes for the fields and the 
group of fields in the layout definition. In the display processing subroutine, variable substitution and iteration 

55 using conditional logic is performed as necessary. Although variable substitution is permitted, the system re- 
tains association between an input variable and where the field is to be displayed on the screen in the corre- 
sponding variable control block (VCB) even if the field is flowed into Its final output position as dictated by the 
layout definition. 

The following attributes are then provided to each field including, color, font, boldface/italics, style, size. 
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underlining, blinking, reverse video, non-display (e.g., for hiding passwords), high intensity display, etc Addk 
tionally, possible error messages are inserted where appropriate for a detected error condition and the proper 
cursor position is indicated. 

5 The layout language used In block 540 permits not only the definition of a screen output but also definitions 

for accepting input. As indicated in block 542, fields are written to the user's terminal allowing input fields, as 
appropriate depending upon the application. As previously described, data structures may be rolled out to aux- 
Oiary storage (544) and rolled back (546) after the user performs data entry into the appropriate Input fields. 
To do this, the step 544 actually involves signaling a P-code interrupt, and having the block 545 executed 

10 as the associated INTER-ROLLOUT routine, and block 546 executed as the POST-WAIT routine responsible 
for mapping the Input fields back to the VCBs for the associated variables. This may involve passing data 
through temporary storage. 

Thereafter, the input is analyzed and the input data is inserted In all associated variables. Afield validation 
Is then performed for all Input fields 548. Thus, a check may be made to make sure that for numeric fields 

15 only numbers have been entered. Similarly, a check may be made to determine whether an input field has the 
specified atbibutes. 

Thereafter, a check is made at block 550 to determine whether there has been an error In any field. If 
there has been an error, then an error message is produced and the cursor Is positioned to the errant field 
(552), after which the routine branches back to 540 to generate an error message display. 

20 If the check at 550 fails to reveal an error in a particular field, then a further check is performed to cross 
verify that the fields are correct In context (e.g., although two adjacent fields may be correct individually, ah 
error condition may be defined regarding the combination of fields) 554. Based on a cross verification, a de- 
termination is made as to whether the field contains an contextual error. If not. then a return is made to the 
caller 558. If there Is a contextual error then an error, message is produced in accordance with block 552. 

25 It should be noted that verification of both the individual fields is completely under control of the program. 
There may be various specifications, utility routines and other conveniences to simplifying handling common 
situations, but in general, any possible validation is possible. Cross-validation of fields may involve wore se- 
mantic concerns, and is thus more likely to require specialized programming. 

Figure 29 delineates a sequence of operation performed by a time delay routine. The time delay function 

30 may be utilized to wake up at predetermined time intervals and check to see whether any incoming electronic 
mall has arrived and attach Itself to that mall to thereby efficiently handle incoming electronic data Interchange. 
Thus, though such a time delay mechanism, a travelling program could examine a particular mall box at pre- 
determined time intervals to check whether any mail has arrived. If the mail has arrived, the travelling program 
could send the mail to a destination to be handled by a further recipient Alternatively, the travelling program 

35 could examine incoming data (such as mail), and based on various content indicators, automatically perform 
a traverse and spawn a new "instance" of itself which could treat the mail appropriately. Of course, the original 
"instance" could continue executing and process every Instance that arrives. 

For example, if the Incoming information happened to be EDI transactions, then a travelling program could 
read the Information (using, for example, a READ built-in function), break It apart into internal variables, de- 

40 termlne by whom it should be processed, and perform the appnDpriate traversal. Once successfully routed, 
the letter could be disposed, moved or archived, the program could dear Its variables, and resume looking for 
more input 

Alternatively, after determining the type of material arrived, it could invoke another program to process 
the incoming data. If the other program happened to be a travelling program, then that program could be given 
45 the necessary input information, and could then TRAVERSE Itself appropriate to the handling. 

This would allow, for example, one travelling program to act as a automatic router for incoming data, such 
as EDI transactions, and then hand off to other travelling programs the transactions which it Is not prepared 
to handle itself. 

Furthermore, If the EDI were signed, then the travelling program could verify the signature immediately. 
50 If the signature were valid, and especially if It were done according to U.S. Patent No. 5,005,200, then the au- 
thorization for the content could be programmatically screened, and the travelling program could automatically 
spin-off an instance to handle the incoming transaction. 

For example, with proper enhanced authorization, an Incoming Purchase Order could be automatically and 
instantly routed to the shipping department to commence filling. 
55 Items which arrived which were not signed, or which used simple signatures rather than authorizing sig- 
natures, could be routed to various clerical persons for exception processing and more detailed Inspection. 

As Indicated In block 570, th tim d lay routine, sets th system alarm dock for a sp clf led time. There- 
after, an optional roll out of data to auxiliary storage may be performed (572) by scheduling a P-code interrupt 
with appropriate routines followed by a performance of a roll-In of data after the specified time period has 



17 



EP0 565 314 A2 



elapsed. Thereafter, a return to the calling routin occurs (576). 

Figure 30 which shows the sequence of operations for a "select from director/* function. The directory 
could be a directory of f 11 s or a directory of user's, etc. Initially, a list is created of all candidate items 580. 
5 Thereafter, a display is generated to display at least part of the list 582. The user will have an opportunity to 
select among those items presented (583, 585), after which the function will return the names of the selected 
items, either as a function result or a set of special variables (584). 

Again, as described elsewhere, the actual WAIT is performed through the use of the P-code interrupt func- 
tion. In this case the INTER-ROLLOUT routine waits for the user to select from the selection, and returns the 
10 input to the program variables through the POST-WAIT routine. 

Figure 31 is a routine which demonstrates how the interpreter program permits a user to perform digital 
signatures. As indicated at block 600, the data to be digitally signed is assembled based on data which the 
program is able to access: this includes user supplied input, data read from files, data accumulated from pre- 
vious traversals, data based on the user's environment (e.g., the user's TSO Identifier), the time, data incor- 
15 porated into the program itself, and data derived from built-in functions (such as the built-in X12 data diction- 
ary). Appropriate information is displayed to the user (602). The user then decides whether he or she wishes 
to sign the data, as indicated at block 604. If the user indicates he wishes to perform the signature, the system 
invokes the sign function . as illustrated In Figure 26. to further interact with the user and complete the signa- 
ture (606). Thereafter, the digital signature is generated and saved as a program variable 608. 
20 Figure 31 and the flowcharts which follow depict in part, how a user might utilize the travelling program 

methodology described therein, while performing relatively few operations to accomplish powerful functions 
built into the aforedescribed interpreter. 

Figure 32 exemplifies how a user would verify received information. As indicated in block 610, the data 
which is expected to be verified are assembled. Thereafter, a 'Verify" function with the assembled data and 
25 the saved digital signature, together with any possible authority requirements is invoked. The verification func- 
tion may be accomplished as described in U.S. Patent No. 5.005,200 or using standard digital signature tech- 
niques if a conventional digital signature operation was utilized to sign the variables. Thereafter, a determina- 
tion is made based on the processing in block circuit 12 as to whether the signature is verified (614). If so, 
then the program execution continues. If not, an error condition results indicating that the data has been tam- 
30 pared with or that there has been some kind of programming error 616. Return codes are defined to allow the 
program to distinguish whether the signature was invalid, whether it supported authorization capability, and 
if so, whether the authorization was confirmed. 

Figure 33 illustrates how a travelling program collects a file to be transferred. Initially, the program deter- 
mines the file to be transferred by, for example, displaying to the user, a list of files 620. Acheck may be made 
35 to determine whether it is necessary to have user interaction in order to determine the file (622). If yes, then 
the user is prompted to determine the file to be transferred 624. If it is not necessary to have user interaction 
to determine the file, then the entire file contents are attached to the set of data to be transferred 626. The 
operation is accomplished using the attached functions set forth in Figure 22 which involves building a file con- 
trol block as previously described. 
40 Figure 34 illustrates the travelling program operations performed in reading data from a specified file. Ini- 

tially the file is determined containing the data to be read (630). Thereafter, data is road from the specified 
file and saved as program variables 632. Figure 35 illustrates how the travelling program may update or create 
a file from program variables. As indicated in block 640, the user file into which data is to be written is first 
determined. Thereafter, a function is invoked that writes program variables into the user file 642. 
45 It should be understood, even if not explicitly described in every case, that any program function which 

could lead to data loss, alteration, damage or disclosure is subject to security controls. Such controls can be 
applied at the program level, and either be tied to the incoming program and possibly by combined in some 
predetermined fashion with those also imposed by the user. 

Therefore, for example, in the above case, the travelling program could only road or write user's data files 
60 tf the program wero so authorized. 

Security constraints exist for at least the following classes of functions: 
Display data to the user. 
Soliciting input from th user. 
Performing digital signatures. 
55 Reading data from user files. 

Creating user files. 
Erasing user files. 
Writing data into user files. 
Remaining user files. 
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Attaching user files. 
Exporting attached files into user files. 
Invoking an digital notary device. 
5 Receiving inconning electronic mail 

Reading the contents of electronic mail 
Moving or archiving incoming mall 
Deleting incoming mail. 

Generating outbound electronic mail, or doing various types of data transmissions 
10 Being coupled to various types of equipment, device and services (FAX, printers, office equipment, robot 

devices, manufacturing equipment, etc.) 
Performing a program traversal. 
Invoking external programs. 

Accessing, updating, activating, erasing, altering, Invoking, or attaching other travelling programs 

15 Figure 36 is Illustrates how a travelling program may be designed to be split and sent to a number of different 
recipients and Figure 37 demonstrates how the previously split programs may be merged. 

Turning first to Figure 36, the travelling program may need to be split in order, for example, to acquire sur- 
vey data from a number of different recipients or to collect or distribute data to a number of different executives 
in an organization. Initially, the travelling program performs various housekeeping operations to prepare to split 

20 650. Thereafter, variables are set in accordance with particular application requirements, e.g., the survey run 
by a particular user 652. Destination users are then determined and the traverse function is invoked as per 
Figures 20 and 21 to transmit the image of the progranr^, the programs variables together with any other ap- 
propriate data tailored to the individual recipients 654. The transmitted variables may change from instance 1 
(656) to instance 2 (658), instance 3 (660), to instance N (662). 

25 A check is ultimately made to determine whether there are more destinations to which to transmit (664). 
If so, then the routine branches back to 652 to transmit to the further destination. If there are no further des- 
tinations, then the final transfer is performed 666 in the same manner as explained above with respect to 654 
to result in the final "instance" 668, thereafter resulting in the completion of the splitting operation. 

In other examples, it may also be that the master program simply goes into some other processing. Per- 

30 haps, if it were running in a batch environment as an input distributor, and all the inputwere presently exhausted 
(having just been spun off to a number of users), it would go into a delay until something else arrived. 

Turning to the Figure 37 merge operation, the travelling program has the intelligence to transfer itself from 
user to user to merge further data until the merging operation is complete. Initially, the travelling program ar- 
rives at a merging destination and is executed (680). A check is made to determine whether this is a master 

35 "instance" which is determined by a predetermined variable being set. If it Is determined that this is not a master 
instance at 682, a slave instance is identified 684. At (685) the slave program checks if it has been invoked 
with the special "DEBRIEF" parameter (which is simply a convention used by this program ot determine when 
the slave is being called by the master), and if so (687) passes back all pertinent information to the master 
instance, then exits. If this is not the DEBRIEF invocation, then a check is made to determine whether the 

40 master instance is available, i.e., has already arrived, 686. If the master instance is available then a call is 
made to the master instance 696, through the use of the call shown in Figure 18. After the master instance 
has been invoked, the routine branches back to block 680. If the master is not available, a message is issued 
that the master control for the series has not arrived 688. 

Presuming the master instance has arrived and has been invoked, then at block 682 a determination is 

45 made that this is the master instance and a check will be made to determine whether any other slave instances 
have arrived 692. If so, then the slave instance will be invoked with a predetermined parameter to initiate the 
collection of data (referred to perhaps as "debriefing") 694. At entry point E, data Is collected from the instance 
and is returned to the master and is written to a collection file 706. Thereafter, the instance that has just been 
invoked is erased 708 and the routine branches back to 692 in which case further information is collected if 

50 Other instances have arrived. 

If no further instances have arrived the file is checked to see if all instances have all arrived (698). If they 
have, as determined at 700, then the data could be read from the collection into variables in the travelling pro- 
gram. Depending on the expected siz of the collection file, and the nature of the processing, it might be more 
desirable for the master program to process the completed file at that mom nt and either traverse itself to the 

55 next destination, or to encapsulate the result into a simple message, perhaps even an EDI transaction and 
simply transmit that raw data. 

In other cases it might be appropriate for the program to ATTACH th file to itself and transfer it wholesale 
to another process. The file is erased and aggregate data is transmitted to the next destination 704. If all in- 
stances have not yet arrived, then a message is issued such as "waiting for forms to arrive" (702) and the 
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routine is temporarily existed. 

Figure 38 shows an alternative approach to merging previously split travelling program information. As 
shown in block 710. the travelling program arrives at a merging destination and is run. The collected data is 
5 then written to a special file 712. A check is made to determine whether all oth r instances have arrived as 
indicated at 714. If so. then the collected data is processed 716. and the program traverses to the next des- 
tination 718 and the routine is exited. If all other instances have not arrived as determined at 714. then a mes- 
sage is displayed such as "waiting for more forms to arrive" (720) and the current instance is deleted 722, and 
the routine is exited. 

10 Figure 39 is a flowchart indicating how the travelling program has been designed to accommodate elec- 
tronic data interchange (EDI) generation functions. Figure 39 more specifically demonstrates how a particular 
"XI 2" standard characteristic may be used. The X1 2 standard has an associated data dictionary and segment 
dictionary. The XI 2 segment dictionary, for example, may be used to define all segments necessary to define 
a purchase order. Each segment is defined as being a piece of data which is then looked up in a dictionary. 

15 Because there are many different ways to specify the quantity of an item, many variations of data are permitted 
in X12. 

The present system embeds the X12 data dictionary into the interpreter which nnay be called as a built-in 
function. As indicated in block 720. initiatly a call is made to the XI 2 subroutine by specifying a segment name 
and items "XX. YY, WW,..". The program can provide X12 data code for popular common options typical in the 

20 organization's environment, so as to build a short list of options in order of normal usage. Examples of such 
items are, in a purchase order context, item number, part number and quantity. This call will result in a call to 
the built in data dictionary. 

A check is made to determine whether the short I ist is empty (as indicated in 724). If so, t he segment name 
is used to call the built-in function X12SEGLIST that locates the segment dictionary table of all associated data 

25 options 736. Thereafter, XI2DATANAME built-in function would be used to expand the data dictionary each 
associated description data 738 and the long complete list would be displayed 740. 

If the check at 724 indicates that there is a short list, the XI2DATANAME data dictionary is used to locate 
the expanded description of each of the options on the short list. Thereafter, the short list is displayed 728. 
Then a check is made to determine whether the user wants the full long list as indicated at 730. If the answer 

30 is yes, then block 736 is executed as described above. If no, then the user's selection from either the short 
list or the long list is accepted (732). 

A check Is then made at block 734 to determine whether all data is collected. If so, we assemble and emit 
the completed XI 2 transaction 742 and then exit the routine. With respect to the emitting operation referred 
to in conjunction with 742, the present invention contemplates the capability of mailing specific sets of X12 

35 data in addition to mailing the entire travelling program. If all data is not collected as indicated by the check in 
734, then more data items are retrieved and the routine execution is repeated. 

Figure 40 relates to the use of the travelling program in receiving an electronic data Interchange transac- 
tion. For example, a particular user may have received a travelling program generated purchase order. Initially, 
the received EDI transaction is read 750. Perhaps by a timer-delay travelling program, as described with Figure 

40 29, which spawns copies of itself as input arrives. The encoded EDI is then parsed into program variables 752. 
The received EDI is then moved to an archive repository to preserve that which has been received for possible 
audit. The segments are then processed via a coupled segment dictionary 756. The segment rules associated 
with X12 are enforced which, for example, may relate to not having certain kinds of data in particular fields, 
758. For each data Item, the data dictionary associated with each segment is located 760. For a statement 

45 such as shown in 762 where DESC=X12DATANAME (SEGCODE, DATA ITEM), this statement will result In a 
call to the data dictionary to get a meaningful description of the data item. The retrieved meaningful description 
will be placed into a display variable resulting in. for example, a display of the purchase order In a purchase 
order format. All data items are processed by branching back to block 762 and all segments are processed 
branching back to 756. 

50 The preferred embodiment also allows access to a Digital Notary facility by providing built-in functions 

which can access a digital notary, or notary device such as described in inventor's U.S. Patent No. 5,001,752 
(which Is incorporated herein by reference), or other devices as well. 

By allowing a travelling program to access such a facility, the travelling program is able to move data to a 
platform where the digital notary can be easily accessed, then using the built-in function to do so. This allows 

55 notarization for important signatures, timestamps for inbound traffic, or for any other reason. Since such no- 
tarization is strictiy under control of the program, any criteria whatever, whether autonrtatic or based n user 
requests, can be used. 

Also as described earlier, the facility allows for the coupling to outbound FAX so that electronic forms, in 
addition to being converted to EDI, or printed, can also be faxed to the ultinrtate recipient. 
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Also, as implied, but not explicitly stated, even when a travelling program emits an EDI transaction, it may 
still be activated later. One example would be a travelling program which first serves as an electronic requisition 
then, after sufficient approving signatures, generates a purchase order. It could th n send itself to a repository 
5 where it could later be reactivated when the corresponding invoice and bills ventually arrive (electronic or 
otherwise) and can serve as a method for reconciling the order with the shipment received and the billing. It 
can incorporate logic which to keep track of which items have been received, and which are still pending. Be- 
cause of the ability to flexibly direct itself, it can span many different sites. Inso^r as handling shipping and 
receiving, it is also possible to couple the travelling program with a bar code reader and validate materials sent 
10 and received without human data entry. 

The preferred embodiment envisions that the travelling program could be coupled to a variety of equip- 
ment, including office equipment, and other devices and facilitates. 

Also, any given traversal could also be sent simultaneously to a variety of recipients. 
The following listing reiterates and summarizes many of the above-described functions (and identifies 
15 some additional functions) which the preferred embod iment is capable of performing. This list is only illustrative 
and is not intended to be exhaustive of the many other applications to which the present invention may be ad- 
vantageously applied. 

Displaying data to the user using a layout language (similar to. e.g. TxX. or SCRIPT). Soliciting input 
from the user using a layout-type language (similar to, e.g., TeX. or SCRIPT). 
20 Performing digital signatures for data computed under program control. 

Verifying digital signatures based on data computer under program control. 

Handling co-signatures, possibly Including routing suggestions derived from the signer's certificates. 

Reading data from user files, 

Creating user files. 
25 Erasing user files 

Writing data into user files 

Renaming user files 

Receiving incoming electronic mail 

Reading the contents of electronic mail 
30 Moving or archiving incoming mail 

Deleting incoming mail 

Generating outbound electronic nrail. 

Coupling to and controlling an outbound FAX server 

Coupling to and controlling a printer. 
35 Generating a graphical image. 

Coupling to and controlling a device that can receive and transmit audio signals 

Accessing various types of equipment, including office equipment, computer equipment (tapes, disks, 
etc.) rotx>t devices, manufacturing equipment, etc. 

Splitting an instance of the travelling program into several instances by virtue of multiple traversals. 
40 Being able to re-combine the data contained in the several travelling programs, possibly not even re- 

flecting the same program, into a single form. 

Erasing other instances of travelling programs. 

Invoking external programs. 

Invoking other travelling programs as subroutines. 
45 Activating other travelling programs as independently executing functions. 

Extracting data from a dormant (non-executing) travelling program. 

Determining information about another (non-executing) travelling program without have to execute it - 
- such as name of the program, and other status, etc. 

Extracting information from the certificates associated with digital signatures. This information being 
50 used to help direct routing if cosignature requirements are involved. 

Making a copy of a travelling program as a data variable within another program, or ATTACHing a trav- 
elling program as a file to another. 

Using one travelling program (the "carrier") to transport a new version of another to various destina- 
tions, and replacing the program segment of existing instances with another, more up-to-date version of the 
55 program. One way to do this would be for the newer program segment to be added to the end of existing trav- 
elling programs. Enhancements to the existing interpreter/loader would recognize that a program segment fol- 
lowing th closures gment reflected a sugg st d program revision. Aft rwhat ver normal transmission was 
performed, it would then validate the digital signatures associated with the proposed revised program, and, 
if they carried the proper authority, would then commence using the new program in place of the program 
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which had arrived as part of th standard traversal. 
Attaching user f ties. 
Exporting attached files into user files. 
5 Detaching previously attached fil s. 

Accessing a digital notary device 
Performing a program traversal 

Transmitting user data (in other than a traversal), so that the transmission does not include the travelling 
program itself, (e.g., simply sending a message to another destination. 

10 Using built-in functions to simplify the use, creation, display, construction and receipt of EDI (such as 

X1 2 or EDIFACT) to conveniently supply common information and facilities without having to supply these func- 
tions in the travelling program. This includes built-in functions which access the Data Element Dictionary, the 
Segment Dictionary, the segment rules, and the transaction sets themselves. 

While the invention has been described in connection with what is presently considered to be the most 

15 practical embodiment, it is to be understood that the invention is not to be limited to the disclosed embodiment, 
but on the contrary, is intended to cover various modifications and equivalent arrangements included within 
the spirit and scope of the appended claims. 



20 Claims 

1. In a communications system having a plurality of computers (Terminals A. B. ... , N) coupled to a channel 
(12) over which computers may exchange messages, a method for processing Information among said 
computers comprising the steps of: 

25 providing a first computer with a sequence of program instructions (Fig. 2. block 22) which are exe- 

cuted by the first computer, Including instructions which determine at least one next destination that 
should receive the set of instructions, said set of instructions including instructions for transmitting said 
Instructions together with accompanying data to said next destination; 

computing a digital value, the content of which is based on logical decisions and manipulations per- 
30 formed by said program; and 

performing a digital signature (432) on said digital value at at least one destination. 

2. A method according to claim 1 , wherein said digital signature is represented as data subject to being log- 
ically processed by said sequence of program instructions. 

35 

3. A method according to claim 1, wherein a digital certificate associated with said digital signature is rep- 
resented as data subject to being logically processed by said sequence of program instructions. 

4. A method according to claim 1, wherein said digital signature is included as part of said accompanying 
data transmitted to the next destinatbn. 

40 

5. A method according to daim 1, further including the step of translating said data by said sequence of pro- 
gram instructions into a specialized data structure conforming at least in part to a recognized standard, 
whereby said data structure is useful independentiy of said instructions. 

45 6. A method according to claim 5, further including the step of processing and verifying the digital signature 
and the data to which it is applied, independentiy of the said program instructions. 

7. A method according to claim 1 , wherein the data is translated under direction of the sequence of instaruc- 
tions into standardized Electronic Data Interchange (EDI) format. 

50 

B: A method according to daim 1, induding the step of logically constructing the information to which the 
digital signature can be selectively applied, wherein such information is treated as a program variable on 
which the sequence of program instructions operate. 

9. A method according to daim 1, wherein digital signatures are performed as a function which can b in- < 
voked under control of said sequence of program instructions. 

10. A method according to daim 9, wherein the data supplied to said digital signature function reflects values 
based on any set of data read from a user's file, data built in to said sequence of program Instructions. 
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data entered by the user, data obtained from other signatures, and data obtained from digital certificates 
(514). 

11. A method according to claim 1 further including an indication of the authority which has been vested in 
a user performing a digital signature (432). by including sufficient digital Information to allow verification 
that the authority exercised by the signer was properly exercised (434). 

12. A method according to claim 1 further Including the step of selecting from a collection of digital certificates 
the certificate to be used in performing a digital signature (434). 

13. In a communications system having a plurality of computers (Terminal a, b N) coupled to a channel 

(12) over which computers may exchange messages, a method for processing information among said 
computers comprising the steps of: 

providing a first computer with a sequence of instructions (Fig. 2, block 22) which are executed by 
the first computer, including instructions which determine at least one next destination that should receive 
the set of instructions, said set of instructions including instructions for transmitting said instructions to- 
gether with accompanying data to said next destination; 

acquiring data from users of at least one of said computers via execution of said instructions; 
translating said data via the executing of said instructions into a specialized data structure con- 
forming at least in part to a recognized standard whereby said data structure Is useful independently of 
said instructions; and 

digitally signing said data structure via the execution of said instructions. 

14. A method according to daim 13, wherein the data is translated under direction of the set of instructions 
into standardized Electronic Data Interchange (EDI) format. 

15. A method according to daim 13, induding the step of translating by using an EDI translator. 

16. A method according to daim 15, wherein the EDI translator is an external module which is invoked under 
30 control of said instructions. 

17. A method according to daim 13, wherein at least part of the aggregate of said data structure together 
with the digital signature of said data structure Is transmitted as a set of data independently of the set of 
instructbns. 

35 

18. A method according to daim 13, wherein at least part of the aggregate of said data structure together 
with the digital signature of said data structure is stored separately from the set of instructions. 

19. A method according to daim 13, wherein the result of the digital signature is stored as part of the acconv 
panying data. 

20. A method according to daim 13, wherein the result of the digital signature is verified when the set of in- 
structions is executed at at least one subsequent destination. 

21. In a communications system having a plurality of computers (Terminals A, B N) coupled to a channel 

^ (12) over which computers may exchange messages, a method for processing information among said 

computers comprising the steps of: 

providing a computer with a first travelling program comprising a sequence of instructions which 
determine at least one next destination that should receive the set of Instructions, said set of instructions 
including instructions for transmitting said instructions together with accompanying data to said next des- 
50 tination; 

providing at least one of said computers with a second travelling program (Fig. 37:694); 
executing the second travelling program under direction of the first travelling program. 

22. A method according to daim 21 wherein the first and second travelling programs are different instances 
55 of th same set of instructions. 

23. A method according to daim 21 wherein the first and second trav lling programs comprise distinct sets 
of instructions. 
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24. A method according to claim 21 wherein the first travelling program presents data to the second travelling 
program which defines the operation to be performed by the s cond (Fig. 37: 694). 

5 25. A method according to claim 21 wherein the second travelling program returns data to the first travelling 
program (Fig. 37:687, 706). 

26. A method according to daim 21 wherein both travelling programs are transmitted in a high-level interpre- 
tative format so that the travelling programs and data can be interpreted on a variety of computer system 
and hardware architectures. 

27. Amethod according to daim 26 whereby the interpretative format can be processed on at least two distinct 
types of computers. 

28. Amethod according to daim 21 wherein the first travelling program erases the second travelling program 
from memory. 

29. A method according to daim 21 wherein the second program instance is preserved after its execution. 

30. In a communications system having a plurality of computers (Terminal A, .... N) coupled to a channel 
20 (12) over which computers may exchange messages, a method for processing information among said 

computers comprising the steps of: 

providing a computer with a first travelling program instance comprising a sequence of instructions 
(Fig. 2, block 22) which are executed by the computer, induding instructions which determine at least one 
next destinction that should receive the set of instructions, said set of instructions including instructions 
25 for transmitting said instructions together with accompanying data to said next destination; 

providing at least one of said computers with a second travelling program instance (Fig. 37:694); 

processing the second travelling program under direction of instructions in the first travelling pro- 
gram instance. 

30 31. Amethod according to daim 30 wherein the processing operation indudes the step of erasing the second 
travelling program instance. 

32. Amethod according to daim 30 wherein the processing operation includes the step of extracting data from 
the second travelling program instance (687, 706). 

^ 33. Amethod according to daim 30 wherein the processing operation indudesthestepof altering the program 
instructions in the second travelling program instance. 

34. A method according to daim 30 wherein the processing operation indudes the step of altering the value 
of the variables stored in the second travelling program instance. 

40 

35. A method according to daim 30 wherein said second program instance includes the same instructions 
as the first program instance. 

36. In a communications system having a plurality of computers (Terminals A, B, ... N) coupled to a channel 
45 (12) over which computers may exchange messages, a method for processing information among said 

computers comprising the steps of: 

providing a first computer with a sequence of instructions (Fig. 2, block 22) which are executed by 
the first computer, induding instructions which determine at least one next destination that should receive 
the set of instructions, said set of instructions induding instructions for transmitting said instructions to- 
50 gather with accompanying data to said next destination; and 

selecting a file in response to execution of said sequence of instructions; 

transmitting at least part of the content of said selected data file to said next destination in response 
to execution of said sequence of instructions; (Fig. 35, 36, 37, 640-642, 680-708, 710-732). 

55 37. A method according to daim 36, including the step of digitally signing at least part of the data of said file. 

38. A method according to daim 36, induding the step of computing a hash value of at least part of th data 
ofsaidfil . 
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39. In a communications system having a plurality of computers (Terminals A, B, ...N) coupled to a channel 
(12) over which computers may exchange messages, a method for forwarding information in said conrv 
munications system comprising th steps of: 

5 providing a first computer with a set of instructions (Fig. 2, block 22) which are executed by the 

first computer including instructions which generate a plurality of instances of said set of instructions and 
which initiate transmission to at least a first and a second destination which respectively receive one of 
said instances together with accompanying data; and 

including within said instances transmitted to said first and second destinations the capabQity of 

10 subsequently merging data that has been accumulated during their distinct transmission paths (Fig. 37). 

40. A method according to daim 39, further including the steps of: 

establishing one instance as the master instance (682); and controlting.the master to extract data 
from other instances as they arrive at the merging destination. 

1$ 

41. In a communications system having a plurality of computers (Terminals A, B, ... N) coupled to a channel 
(12) over which computers may exchange messages, a method for processing information among said 
computers comprising the steps of: 

providing a first computer with a sequence of program instructions (Fig. 2, block 22) which are exe- 
2^ cuted by the first computer, including instructions which determine at least one next destination that 

should receive the set of instructions, said set of instructions including instructions for transmitting said 
instructbns together with accompanying data to said next destination; and 

qualifying the set of operations which said sequence of instructions is allowed to perform. 

42. A method according to claim 41 , wherein said qualifying means are specified by a party using said pro- 
gram. 

43. A method according to daim 41 , wherein said qualifying means are digitally signed by a party trusted by 
the parties using said travelling program. 

^ 44. In a communications system having a plurality of computers (Terminals A, B, ... N) coupled to a channel 
(12) over which computers may exchange messages, a method for processing information among said 
computers comprising the steps of: 

providing a first computer with a sequence of program instructions (fig. 2, block 22) which are exe- 
cuted by the first computer, induding instructions which determine at least one next destination that 
3^ should receive the set of instructions, said set of instructions induding instructions for transmitting said 

instructions together with accompanying data to said next destination; and 

performing a digital signature by using a private key stored in a user token device. 

45. A method according to daim 44 induding the step of determining whether the user's private key is stored 
40 in a token device or in computer memory, and the step of processing the signature with the said token 

device or in the user's computer, respectively. 

46. In a communications system having a plurality of computers (Terminals A, B, ... N) coupled to a channel 
(12) over which computers may exchange messages, a method for processing information among said 

45 computers comprising the steps of: 

providing a first computer wit h a sequence of program instructions (Fig. 2, block 22) which are exe- 
cuted by the first computer, induding instructions which determine at least one next destination that 
should receive the set of instructions, said set of instructions induding instructions for transmitting said 
instructions together with accompanying data to said next destination; and 

50 performing a date/time notarization. 

47. In a communications system having a plurality of computers (Terminal a, b, ... N) coupled to a channel 
(12) over which computers may exchange messages, a method for processing information among said 
computers comprising the steps of: 

providing a first computer with a sequence of program instructions (Fig. 1 , 22) which are executed 
by the first computer, induding instructions which determine at least one next destination that should re- 
ceive the set of instructions, said setof instructions induding instructions for transmitting said instructions 
together with accompanying data to said next destination; and 

performing a time delay function (Fig. 9: 570). 



25 



EP 0 565 314 A2 



COMMUNICATIONS CHANNEL 12 

__l 



MODEM 



A. 



KEYBOARD/ 
CRT 



TERMINAL A 



PROCESSOR 

W/MAIN 

MEMORY 



NON- 
VOLATILE 
STORAGE 





r8 


MODEM 1 







TERMINAL 
B 



26 



EP0 565 314 A2 



TRAVELLING PROGRAM DATA STRUCTURE 



HEADER 
*EACH SEGMENT CONTAINS 
AN INDICATION OF ITS 
TYPE AND SIZE 
DATES 

PROGRAM AUTHORIZING 
INFO VERSION 
INFOrayiATION TO RESUME 
EXECUTION 

EXECUTION STACK, PLB, ETC. 



PROGRAM 



32 
34 
36 
38 
40 

42J 



VARIABLES 
FOR EACH VARIABLE: 
^1 SIZE OF VARIABLE NAME 
VARIABLE NAME 
SIZE OF VALUE 
VALUE 

EXECUTION STACK LEVEL 
TO WHICH VARIABLE 
BELONGS 



^20 



r22 



^24 



OPTIONAL CERTIFICATES 
TO PERMIT VERIRCATION 
OF ANY SIGNATURES 
DIGITAL 



^26 



CERTIFICATES 



OPTIONAL FILE IMAGES 
RECORDED BY NAME 



POSSIBLY OTHER TYPES 
OF SEGMENTS 



28 A 
--28B 

£1-2 8N 



i 



Jl 



200 



READ EACH 
CERTIFICATE 



jCLOSUWE) 

TRAVERSAL VALIDATION 

INFORMATION FOR 

OVERALL AUTHENTICATION 

INCl UDINfi nVFRAI 1 SIfiNATIIPC 



30 

V 



CREATE 
CERTIFICATE 
ELEMENT 
(IN CCA) 



'202 



"Xall 

(lJ CERTIFICATES 



27 



EP 0 565 314 A2 



(0<CA 

ADDRESS AND SIZE OF PROGRAM 
WITHIN INCOMING FILE 
{MAY BE EITHER SOURCE OR 
P-CODE AND INDICATOR IS 
MAINTAINED AS TO WHICH 
IS THE CASE] 



P-CODE & SIZE 



CURRENT RGB 



FCB LIST 



CERTIFICATION CONTROL 
AREA 



-VARIABLE-INFO TABLE 



SECURITY INFO (E.G. 
DIGITAL AND 
AUTHORIZATION) ON 
PROGRAM 



NAME OF FILE CONTAINING 
INCOMING TRAVELING PROGRAM 
(FILE WITH INCOMING 
TRAVERSAL) 



» OF PRIOR TRAVERSALS 
IN ARRIVAL PATH 



INPUT PARAMETERS 



INPUT HEADER INFO 



82 



^84 

'86 
'88 

90 
.94 



.96 

^98 
100 

102 



fa?. J 



28 



EP 0 565 314 A2 



FOB 



EXT FCB 



STATUS 
WHETHER FILE JUST 

ATTACHED 

WHETHER IT IS TO BE DETACHED 
ON NEXT TRAVERSAL 
FILE HAS BEEN EXPORTED 
TYPE OF FILE (STREAM. 
RECORD). AND OTHER 
ATTRIBUTES 



IF IN INCOMING TRAVERSAL. 
GIVE POSITION AND SIZE 
WITHIN FILE 



TAG FOR REFERENCING THIS 
FILE 



LOCAL NAME OF FILE (IF 
FILE IS ATTACHED. OR HAS 
BEEN EXPORTED) 



HASH OF THE ASSOCIATED 
FILE (IF PRESENT IN REPORT) 



.110 



-^112 



.114 

-116 
^118 

"115 



Tig. S 



READ (&HASH) 
HEADER 
STORE INTO 
XCA 



ritt 




ERROR 



154 



29 



EP0 565 314 A2 



PCB 



t 



PRIOR PCB ON STACK 



t 



NEXT P-CODE POSITION 



LAST P-CODE OPERATION 

EXPRESSION EVALUATION 
STACK (USED DURING 
EXPRESSION EVALUATION) 



t 



LEVEL OF THIS STACKING 
PROGRAM 



t 



UST OF SHARED fEXPOSED^ 
VARIABLES 



^VCB 



SIZE OF VALUE 



t VALUE 



TYPE OF VARIABLE (OPT) 



LEVEL OF CONTROL 
(FOR CLEARINGS^ 



SIZE OF NAME 



NAME 



-50 

-52 
-54 

^6 



USTS OF OTHER RESOURCES 
PRIVATE TO THIS LEVEL 



-58 

^60 
-61 



B-TREE POSITION POINTERS 



.62 

-64 
66 

-68 

70 

'76 



80 



riff. J 



30 



EP 0 565 314 A2 



LOADER 
(sTARtV^I20 



• CREATE XCA AND 
INITIAL PCS 

• SAVE ACCESS TO INPUT 
PARAMETER 

• SAVE INPUT RLE NAME 

• INITIALIZE vnr 




122 



124 



126 



READ INPUT AND 
DETERMINE TYPE OF 
SEGMENT 

PROCESS IT AS INDICATED 



HEADFR 



PRDfiPAM 



VARIARI 



■>Ib- 



CERTIFirATFf^^Tj 
^ FILE ^T 



n<;iiPF 



WAS -CLOSURE- 
SUCCESSFULLY 
PROCESSED? 




130 



STOP WITH 

VAUDITY 

CHECK 




PREPARE TO EXECUTE 



STACKS ARE RESTORED 

VIT 8 VCBs ARE RESTORED 
•PCBs ARE RESTORED (AND 
CONTAIN EXECUTION 

RESUME POINT) 



134 



-0 



31 



EP 0 565 314 A2 



ANY HEADER? 
BUT NO 
PROGRAM 
LOADED? 




ERROR ^162 



READ 
PROGRAM 

AND TAKE 
HASH 



164 



HASH &/OR 
DIGITAL 
SIGs 

AUTHORIZED 
& VERIFIED 




ERROR 



SAVE SECURITY & 
AUTHORIZATION 
IF ANY 



r 



170 



IS THIS 
SENT AS 
P^ODE 



176 



174 









• COMPILE SOURCE 


^S. NO 


INTO P-CODE 




• DELETE SOURCE 


YES 


IMAGE 








4 







SAVE ADDRESS 
ft SIZE OF THE 
PROGRAM WITHIN 
THE INCOMING 
FILE IN THE XCA 



I 



SET ADDRESS 

ft SIZE OF P-CODE 

INTO PCB ft XCA 



178 

V 



32 



EP0 565 314 A2 




HEADERS 
PROGRAM 
LOADS). 
BUT NO 
PRIOR 
VARIABLES? 



CREATE VC8 
INSERT VARIABLE 
IDENTIFIER INTO 
VCB 

INSERT VALUE INTO 
VCB 

SET STATUS IN VCB 
ADD VCB TO PROPER 
SPOTINVnr 



OTHER VARIABLE 
INFO 
STACKS 
PCBS 



*CLOSURE* 



230 



COMPUTE HASH OF 
ALL PREVIOUS 
HASHES 



J98 



0 



HANDLE BUILT 



IN FUNCTION 



PASS CONTROL TO 
BUILT IN FUNCTION 
EXECUTION STACK 
IS THE INPUT 



-300 




MATCH HASH ADDED 
WHEN TRAVERSAL 
SENT (STORED IN 

CLOSURE 
ERROR JSEGMENT)? 

234 



POSSIBLY NOTIFY 
THAT DATA IS 
NOT ENTIRELY 
SIGNED 



VERIFY SIGNATURE 
& TELL USER WHO 
•REALLY" SENT 
THE FORM 



1 



33 



EP 0 565 314 A2 



FILE 



IS THIS FILE 
TAG ALREADY 
LOADED? 



220 



222 




VARIABLES (EVEN IF 
NULL) ALREADY LOADED? 

212 



ERROR 



(BAD INCOMING FILE) 



216 



2L 



ERROR 
UPUCATE 



FILE)) 



INO 218 

BUILD FOB FOR THIS 
FILE 

SET TAG NAME 
SET OTHER STATUS 
SET FILE POSITION 
RELATIVE TO INPUT 
FILE (FOR LATER 
DIRECT RETRIEVAL) 



READ THRU FILE 
UNTIL END (BUT NOT 
NECESSARY TO LOAD 
INTO MEMORY). COMPUTE 
HASH 

SAVE SIZE OF FILE 



I 



ADD FCB TO COLLECTION 
BASED ON XCA 



34 



EP 0 565 314 A2 



OJ PROCESS P-CODE INSTRXTIONS 



FROM CURRENT PCB. GET 
POSITION OF NEXT 
P-CODE INSTRUCTION 
(52 IN FIG. 5) 



• SAVE TYPE OF P-CODE 
OPERATION (54 IN FIG.5) 
-USED, E.G. TO 
DISTINGUISH CALL VS. 
FUNCTION INVOCATION. 
ETC. 

• UPDATE THE PCB (52) 
TO REFLECT SUBSEQUENT 
P-CODE INSTRUCTION 
AS REVISED *NEXT* 



PERFORM THE P-CODE OPERATION 
EACH P-CODE OPERATION IS 
HANDLED BY A ROUTINE 
WITHIN THE INTERPRETER 



^250 



^252 



254 




35 



EP 0 565 314 A2 



fist. iJ 



DID P-CODE 
OPERATION 
REQUEST A 
■LOGICAL* 
INTERRUPT 



AFTER P-COOE OPERATION PERf=ORMED 




'260 



NO 



.261 



PERFORM ANY 
•PREVIOUS- 
ROUTINE 



CLEANUP STORAGE. 
FILES, LOADED SUB- 
ROUTINES. ETC. ALLOV^ 
FOR POSSIBLE EXIT 
PARAMETER 

r2S2 



PERFORM ROLLOUT: 
•WRITE ALL WORKING 
STORAGE TO AUXILLARY 
MEMORY. THIS INCLUDES 
DATA STORAGE SUCH 
ASVC8«,VIT, FC8i,XCA. 
PCBs. THE EXECUTION 
START. THE f^COOE IT- 
SELF. IN SOME ENVIRON- 
MENTS THIS MAY EVEN 
ROLLOUT TO INTERPRETER 
ITSELF. 



1 
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ON RETURN. 
• RELOAD THE 

INTERPRETER 
. RECOVER WORKING 

STORAGE FROM 

AUXILLARY. 


PROCESS ANY 
•POST-WAIT- 
ROUTINE ASSOCIATED 
WITH INTERRUPT 
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LEAVE ONLY ENOUGH 
PROGRAM AND DATA 
IN STORAGE TO LATER: 
-INVOKE THE -INTB%. 
ROLLOUT •ROUTINE- 
-RESTORE THE 
INTERPRETER 
-KEEP TRACK OF 
HOUR TO RELOAD 
WORKING STORAGE 
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INVOKE THE 
•INTER-ROUOUT* 
ROUTINE- E.G. 
-WAIT FOR INPUT 
-WAIT FOR TIMER 
-CALL EXTERNAL 
ROUTINE 
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EXTERNAL FUNCTIONS/CALLS 
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LCX^ATE FUNCTION. BY 
NAME. FROM APPRO- 
PRIATE SELECTION 
OF UBRARIES 



IMPLEMENTATION OPTION: 
SHOULD PROGRAM BE 
TERMINATED OR RATHER 
SOME DEFAULT 



ACTION? 
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ISSUE ERROR 
■MESSAGE AND 
EXIT PROGRAM 
WITH APPROPRI- 
ATE CODE 



CREATE PARAMETER 
LIST IN NON- 
ROLLBACK STORAGE 



TAKE DEFAULT 
ACTK)N- E.G. 
RETURN SPECIAL 
VALUE 



SET P-CODE 
INTERRUPT WITH: 



PRE-ROLLOUTs 
ESTABLISH PARAMETERS 



.INTER ROLLOUTS 
INVOICE EXTERNAL 
ROUTINE WITH FARM 
LIST JUST CONSTRUCTED 



•POST-WAIT- 
RELEASE INPUT PARM LIST 
• IF FUNCTION 
INVOKED. THEN COPY 
RESULT TO OUR 
EXECUTION STACK. 
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f GOTO N 
^ CLEANUP J 
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'GO TO "START". WITH 
INDICATOR THAT THIS IS 
■INVOKED" EXECUTION 

> PASS ANY DESIRED 
PARAMETER 



I 



FiS 



OUR RETURN: 

• OUR STORAGE MAY BE 
RELOCATED 

• THEREFORE WE HANDLE 
THIS RELOCATION IN 
IMPLEMENTATION 
DEPENDENT 
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IF THIS WAS TYPE-FUNCT, 
THEN USE RETURNED 
VALUE AS RESULT OF P-CODE 
OPERATION 
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TRAVERSE 



COLLECT ALL RELEVANT 
VARIABLE DATA INTO A 
TRANSMISSION FORMAT 
•VIT 
•PCBs 

• VARIABLE STACKS 
•VCBs 



1 £Z 

LOAD RETURN 

VALUE OF 

1 ONTO STACK 

3^^ 



CONSTRUCT HEADER 
• TRANSMIT HEADER 
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. TRANSMIT PROGRAM & 
AUTHORIZING INFORMATION 
FROM INPUT FILE 
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TRANSMIT VARIABLES 
•NAME 

• CURRENT VALUE 
ANY STATUS 
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TRANSMIT ANY CERTIFICATES 
WHICH WERE COLLECTED AS 
PART OF DOING DIGITAL 
(AUTHORIZING)SIGNATURES 
DURING THIS OR PREVIOUS 
TRAVERSAL 
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I 
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EXAMINE 
ALL FCBs 



-^f ANY MORE FCBs 
412 ^TO EXAMINE? 




SCHEDULED 
TO BE DETACHED , 
? 



COPY TAG NAME 
INTO TRANSMISSION 



PART OF 
INCOMING 
TRAVERSAL 
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YES 



NO 
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• COPY FILE. ALSO COPY 

ATTRIBl/TES FROM 
INCOMING TRASVERSAL 

INTO OUTBOUND 
TRANSMISSIONdNPUT 
FILE NAME IS XCA) 
INPUT POSITION IS 
IN FCB 
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•COPY FILE TYPE 

& ATTRIBUTES 

INTO TRANSMISSION 
• COPY FILE INTO 

TRANSMISSION 
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IS •OVERALL"' USER- 
TO-USER DIGITAL 
SIGNATURE 
REQUESTED 
OR REQUIRED 
BY SYSTEM, 
USER, OR 
PROGRAM? 
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PERFORM DIGITAL SIGNATURE 
IN HASH OF ALL MATERIAL 
TRANSMITTED. (HASH* WAS 
TAKEN AS EACH PART OF 
TRANSMISSION. THIS STEP 
MAY INVOLVE USER INTER- 
ACTION TO PERFORM THE 
SIGNATURE. 



SUPPLY VALIDATION AT END 
OF TRANSMISSION AS THE 
•CLOSURE' SEGMENT 

• HASH REFLECTING PRIOR 
MATERIAL (UNAUTHENTICATED 
VALIDATION) 

• SIGNED HASH TO ARCHIVE 
USER-TO-USER 
AUTHENTICATION 

• INCLUDE ANY NEW CERTIFICATES 
WHICH MAY NOT APPEAR IN THE 
CERTIFICATE SECTION 
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CLOSE TRANSMISSION 
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REMOVE THE '\' 
FROM THE RETURN 
STAGE AND REPLACE 
IT WITH "O^ 
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ERASE (FILE NAME) 



ATTEMPT TO ERASE 
FILE SYSTEM & USER 
SECURITY CONTROLS 
WILL GOVERN WHETHER 
THIS IS SUCCESSFUL 



-450 



Fig. 23 
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BACK 
{RETURN 
SUCCESS) 



BACK WITH 
ERROR 
STATUS 



456 
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ATTACH (TAG, FILENAME) 



DOES FCB 
WITH SAME 
TAGS 
EXIST? 



DOES SPECIFIED 
-FILENAME' 
REFLECT 
EXISTING 
FILE 

WHICH IS 
ACCESSIBLE 
BY USER? 




DELETED 
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PASS BACK 
ERROR 
CODE 



< BACK TO ^ 
BUILT-IN 1 
FUNCTION J 
DEVICE y 



BUILD FCB WITH 
SPECIFIED -TAG" & 
FILENAME. FILE WILL 
BE ATTACHED DURING 
TRAVERSE 



i: 
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BACK 
WITH 

-SUCCESS' 
CODE 



IS" J 



(w) 



DETACH (TAG) 




DELETE 
FCB 



BACK-WITH ERROR 
INDICATOR 
RESULT 



BACK 
WITH 
"SUCCESS- 
CODE 
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EXPORT (TAG^UTPUT FILE) 
NAME tREWRlTE INDICATOR) 



DOES FCB 
EXIST FOR 
SPECIFIED 
TAG? 



WAS FILE PART 
OF INCOMING 
TRAVERSAL? 
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BACK-WITH 

ERROR 
INDICATING 
CODE 



DOES SPECIFIED 
FILE ALREADY 
EXIST? 
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CREATE NEW 
FILE IF PERMITTED 
AND PREPARE TO 
START AT 
BEGINNING 




BACK-WITH ERROR '. 
NOT ALLOWED TO 
EXPORT NEWLY 
ATTACHED FILES 



BACK 
WITH 
ERROR 
CODE 







ERASE 

EXISTING 

FILE 
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SHOULD WE 
OVERWRITE, OR 
ADD NEW STUFF 
AT END? 



AT END 
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COPY DATA FROM 
THE CORRECT 
POSITION IN THE 
INCOMING TRAVERSAL 
FILE TO THE 
OUTPUT FILE 



PREPARE TO START 
ADDING AT END 
OF EXISTING FILE 



/" ' V — BACK-WITH 

I 1 SUCCESS CODE 

^ Jg6_ j RESULT 
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SIGN 




(BUILT-IN FUNCTION) 
[VALUE»SIGN(DATA, PARMS...)] 



CONSTRUCT DATA TO 
BE SIGNED, AND MOVE 
THAT TOGETHER WITH 
ANY OTHER PARAMETERS 
(SUCH AS AUTHORITY) 
TO WORK AREA FOR 
FARM TO THE INTER- 
ROLLOUT ROUTINE 



I 



EXIT, AND SCHEDULE 
A "P-CODE INTERRUPT 
PRE-ROLLOUT=NULL 
INTER-ROLLOUT=<S> 
V ^ST-WAIT«<8) 
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(POST WAIT) 



J. 
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PUSH RESULT (SIGNATURE 
VALUE. OR ERROR CODE) 
ONTO STACK 



tin. 



EXIT WITH 
ERROR 
CODE 




(INTER-ROLLOUT) 
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PRESENT PANEL 
TO SOUCIT USER 
SELECTION 
(DO WITHOUT 
AS NEEDED) 



INDICATE ERROR 
AND RETURN 
WITH APPROPRIATE 
ERR 
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LOCATE ASSOC. 
PRIVATE KEY 
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PRESENT PANEL 
TO SOUCIT SECRET 
PASSWORD USED TO 
DECRYPT PRIVATE KEM 



HAVE TOKEN 
COMPUTE 
SIGNATURE 
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ADD TO OVERALL 
CERTIFICATE LIST 
(CCA) ANY 
CERTIFICATE. 
NOT ALREADY 

PRESENT, 
NECESSARY TO 
VAUDATE THIS 
SIGNATURE 
AND AUTHORITY 



t > ^52 5 

/RETURN WITiA 
SIGNATURE I 
\AS RESULT J 
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DECRYPT PRIVATE KEY 
VIA PASSWORD 
COMPUTE SIGNATURE 
ERASE CLEAR TEXT 
IMAGE OF PRIVATE 
AND PASSWORD KEYS 
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DISPLAY 



(LAYOUT DESCRIPTION NAME) 



GENERATE OUTPUT FROM 

SPECIFIED LAYOUT DEFINITION 
•ANALYZE CONDITIONED ATTRIBUTES 

& STATIC ATTRIBUTES FOR FIELDS 

& GROUP OF FIELDS 
•DO VARIABLE SUBSTITUTION 
•DO ITERATION & CONDITIONAL 

LOGIC AS NECESSARY 

RETAIN ASSOCIATION BETWEEN 

INPUT FIELDS & THE 

CORRESPONDING VCB EVEN AS 

THE RELD IS FLOWED INTO ITS 

RNAL OLnrPUT POSITION 
•APPLY RESULTING ATTRIBUTES 

TO EACH RELD e;g. 

COLOR 
FONT 

•BOLDFACE/ITAL 

STYLE 

SIZE 

•UNDERUNE 
•BUNKING 
•REVERSE VIDEO 
NON DISPLAY 
•HIGH INTENSITY 

INSERT POSSIBLE ERROR MSG & 
INDICATE PROPER CURSOR POS 
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WRITE THE RELDS TO THE 
USER'S TERMINALS ALLOWING 
INPUT RELDS AS APPROPRIATE 
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PERFORM (OPTIONAL) ROLL 
OUT 
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ANALYZE INPUT 
•INSERT INPUT DATA 

IN ALL ASSOCIATED 

VARIABLES 
•PERFORM RELD 

VERIRCATION FOR 

ALL INPUT RELDS 




CROSS-VERIFY RELDS 
IN CONTEXT 



RELD IN 
CONTEXTUAL 
ERROR 
? 




YES 



USER DOES DATA ENTRY 
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MAP BACK INPUT FIELDS 
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RETURN 
TO 

CALLER 



PRODUCE ERROR 
MSG & POSITION 
CURSOR TO 
ERRANT RELD 
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TIME DELAYfnME) 



0 



SET SYSTEM ALARM 
CLOCK FOR SPECIFIED 
TIME 
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SCHEDULE "INTERRUPT" 



572 



I BACK j 



WAIT F0RJ3MER TO CHIME 
576 

BACK 
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SELECT FROM DIRECTORY 
(OF RLES. USERS. ETC.) 




CREATE UST OF 
ALL CANDIDATE 
ITEMS 



PRESENT PANEL 
WITH (AT LEAST 
PART OF) THIS UST 



SCHEDULE 
•INTERRUPT 



WAIT FOR 
USER SELECTION 



560 



562 



583 



585 



RETURN THE NAMES 
OF THE SELECTED 
ITEMS EITHER AS 
A FUNCTION RESULT 
OR AS A SET OF 
SPECIAL VARIABLES 
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BACK 
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VERIFY 



1 



CONSTRUCT 
DATA TO BE 
DIGITALLY 
SIGNED 



I 
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ASSEMBLE DATA 
TO BE VERIRED 



DISPLAY 
DATA 
TO USER 



^602 



USER 
AUTHORIZE 
SIGNATURE? 







NO 




YES 






eo6 
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INVOKE FUNCTION 




TO SIGN 




COMPUTED DATA 
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SAVE DIGITAL 




SIGNATURE AS 




PROGRAM 




VARIABLE 
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INVOKE VERIFY- 
FUNCTION WITH 
VARIABLES AND 
THE SIGNATURE 




YES 
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TAKE 
APPROPRIATE 
ACTION WITH 
RESULT 
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DETERMINE 
FILE TO BE 
TRANSFERRED 




ASK USER TO HELP 

DETERMINE FILE 

TO BE TRANSFERRED 
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ATTACH ACTIVE FILE 
CONTENTS TO SET 
OF DATA TO BE 
TRANSFERRED 



-626 



48 



EP0 565 314 A2 



ris. 33 



DETERMINE FILE 
CONTAINING DATA 
TO BE READ 



I 



,630 



READ DATA FROM 
SPECIFIED FILE 
AND SAVE AS 
PROGRAM VARIABLES 



632 



DETERMINE USER 
FILE INTO WHICH 
DATA IS TO BE 
WRITTEN 



I 



640 



INVOKE FUNCTION 
THAT WRITES 
PROGRAM VARIABLES 
INTO USER FILE 
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PREPARE TO SPUT 



652 



SET VARIABLES 
APPROPRIATELY 



.654 



■DETERMINE 
DISTINCTION 
TRANSMIT 

-IMAGE OF PROGRAM 
■PROGRAM & VARIABLE 
•ANY OTHER APPROPRIATE 
DATA 



658 



MORE DESTINATIONS 
TO WHICH TO 
SPAWN? 




INSTANCE 
N 
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DO FINAL TRAVERSAL 
TRANSMIT 

■PROGRAM & VARIABLE 
■ANY OTHER APPROPRIATE 
DATA 



668 
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INSTANCE 
1 



INSTANCE 2 
INSTANCE 3 | 



I 
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TRAVEUNG\ 
^PROGRAM ARRIVES]/ 
AT "MERGING" J 
DESTINATION J 



680 



AND IS 
EXECUTED 

WITH STANDARD J 



RETURN 

PERTINENT 

VARIABLES 



3 



COLLECT ALL DATA 
FROM FILE INTO OUR 
VARIABLES. ERASE 
FILE. TRANSMIT 
AGGREGATE DATA 
TO NEXT DEST 



ERASE INSTANCE 
JUST INVOKED 



"708 



51 



EP0 565 314 A2 



TRAVELING 
PROGRAM ARRIVES 
AT MERGING 
DESTINATION AND 
IS RUN 



710 



WRITE COLLECTED 
DATA FOR THIS 
INSTANCE TO 
SPECIAL (PERMANENT) 
FILE 
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716 




718 



MSG:"WAITING 
FOR MORE 
FORMS TO 
ARRIVE" 








722 


DELETE 

THIS CURRENT 

(INSTANCE) 











SEND THIS 
FORM TO NEXT 
DESTINATION 



EXIT 



EXIT 
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NEED TO SOUCIT USER FOR A PARTICULAR XI 2 CHARACTERISTIC 



IS 

•SHORT 

usr 

EMPTY? 



CALL X12SUB (SEGMENT NAME. "XX YY WW^) 

^— ' 

POPULAR COMMON OPTIONS 
(THE "SHORT UST." IN 
ORDER OF NORMAL USAGE) 



720 
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USE DATA DICTIONARY 
FOR THIS SEGMENT TO 
LOCATE THE EXPANDED 
DESCRIPTIONS OF EACH 
OF THE OPTIONS ON 

SHORT UST 
(USE XI 2 DATA NAME) 
FUNCTION 



I 



DISPLAY THE 
SHORT UST 



^USER 
<'WANTS FULL> 
LONG UST? 



USE SEGMENT NAME TO 
LOCATE SEGMENT DICTIONARY 
TABLE OF ALL ASSOCIATED 
DATA OPTIQNS (XI 2 SEG UST) 



I 



USE DATA DICTIONARY 

TO EXPAND EACH 
ASSOCIATED DESCRIPTION 
DATA (USE XI 2 DATANAME) 
FUNCTION 
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DISPLAY THE 
LONG UST 



NotC- 



1 



732 



ACCEPT USER S 
SELECTION FROM 
SHORT UST 



NO-GET 
MORE ITEMS 




ALL" 
DATA 
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YES 



COLLECTED? 
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ASSEMBLE AND 
EMIT COMPLETED 
XI 2 TRANSACTION 
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READ RECEIVED 
EDI TRANSACTION 



1 



tie. 
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PARSE ENCODED ED1 
NOTE PROGRAM 
VARIABLES 



I 



752 



MOVE RECEIVED EDI 
TO ARCHIVE 
REPOSITORY 



754 



PROCESS SEGMENTS 
VIA COUPLED 
SEGMENTS 
DICTIONARY 



I 
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ENFORCE SEGMENT 
RULES 



.758 



LOCATE DATA 
DICTIONARY 
ASSOCIATED 
WITH SEGMENT 
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DESC=X12 DATANAME (SEGCODE, DATA ITEM) 



USE COUPLED DATA DICTIONARY RETRIEVE 
TO GET MEANINGFUL DESCRIPTION OF 
DATA ITEM 



PUT THIS INTO 
DISPLAY VARIABLE 
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PROCESS ALL DATA ITEMS IN SEGMENT 
PROCESS ALL SEGMENTS IN TRANSACTION 
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@ A method and apparatus for creating, sup- 
porting and using a travelling program is dis- 
closed. A "travelling program" is a digital data 
structure which includes a sequence of instruc- 
tions and associated data and which has the 
capability of detenmining at least one next desti- 
nation or recipient for receiving the travelling 
program and for transmitting itself together 
with all relevant data detemnined by the prog- 
ram to the next recipient or destination. The 
travelling program can compute, according to 
any algorithm whatsoever, the digital material 
which is to be signed, and also, as needed, the 
digital material which is to be verified. The 
present invention also allows the program to 
conditionally decide, based on any known 
aiteria, which users should participate in the 
signature process. The present invention also 
uses digital signatures to allow the travelling 
program to provide other types of valuable 
authentication. For example, as a security con- 
venience the present Invention allows for the 
digital signature authentication of the entire 
transmission from one user to another. This 
includes the travelling program itself, its vari- 
ables, and any ancillary data or files. The pre- 
sent invention provides a unique mechanism for 
automating data collection among a group of 
users. The travelling program may be sent to 
one user, attach (or detach) relevant data files 
and move on to the next user. Data or files, 
collected from one or more users can be depo- 
sited with another user, or accumulated for 
batched processing as desired. This methodo- 
logy eliminates the need for individual users to 
be counted on to transmit all the required data 
in the required fonmat The present invention 
also efficiently perfonms electronic document 
interchange (EDI) in the context of a travelling 
program which s nds itself from user to the 



next within an organization, collecting, editing 
and approving data. 
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HEADER 
•EACH SEGMEMT COMTAIMS 

AM iNoiCAnoM Of rrs 

TYPE AN0 81ZE 
DATES 

PROORAM AUTHORIZING 
two VERSION 
INFORMATION TO R£StM£ 
EXECimON 

EXEOmON STAOC PUB. ETC 



PROGRAM 

VaMa^Us 



FOR EACH VARMfiLE: 
SIZE OF VARIABLE NAME 
VARIABLE NAME 
SOe OF VALUE 
VALUE 

eXECtmON STACK LEVEL 
TO moCH VARIABLE 
BELONGS 
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OPTIONAL CERTIFICATES 
TO PERUn- VERtFtCATION 
OF ANY SIGNATURES 
OlGfTAL 
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POSSBLY OTHER TYPES 
OF SEGMENTS 



TRAV^RS^ti^OATION 
INFORMATION FOR 
OVERALL AUTHENTICAriON 
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